hardSecurityExpress
The path walker
A developer asked an AI assistant to build an endpoint that serves user-uploaded files by filename from a local uploads folder. The suggested code works for normal filenames, but lets a malicious request read arbitrary files off the server's filesystem.
files.js
app.get('/files/:filename', (req, res) => {
const filePath = path.join(__dirname, 'uploads', req.params.filename);
res.sendFile(filePath);
});What can an attacker do by requesting GET /files/..%2f..%2f..%2fetc%2fpasswd?
Read arbitrary files outside the uploads directory — path.join doesn't stop '..' segments from escaping the intended folder, enabling path traversal.
Nothing — Express automatically blocks any filename containing '..' before it reaches the route handler.
The request 404s because path.join throws on URL-encoded slashes.
res.sendFile refuses any path containing dots, so the request is rejected by design.