About

This is a node.js example illustrating how path traversals can be mitigated.

Code

///////////////////////////////////////////////////////////////////////////
//  Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3      //
///////////////////////////////////////////////////////////////////////////
// Parameters:
//   * userPath - the requested path
//   * rootPath - the base document root path
//   * separator - the path separator to use (path.sep from path package in node.js)
// Returns: true if userPath is a safe path within rootPath 
function isRooted(userPath, rootPath, separator) {
    userPath = userPath.split(separator).filter(Boolean);
    rootPath = rootPath.split(separator).filter(Boolean);
    return userPath.length >= rootPath.length && rootPath.every((e, i) => {
        return e === userPath[i];
    });
}