Home/ Questions/Q 8373873
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T14:47:25+00:00

I have the following code: app.get(‘/games/:id/log’, function (req, res) { fs.readFile(‘logs/’ + req.params.id +’.log’,

  • 0

I have the following code:

app.get('/games/:id/log', function (req, res) {
    fs.readFile('logs/' + req.params.id +'.log', 'utf8', function (err, data) {
        res.send(data.split('\n').join('\<br />'));
    });
});

Which allows accessing mysite.com/games/somename/log to serve up ./logs/somename.log. However, I’m worried that req.params.id could end up being something evil like ../.., reading files that I don’t want to be visible.

Is this possible? If so, how can I fix this security problem?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would create a white list of characters you would allow in your id. My guess is that your id can only be alpha characters. So running a test would allow you to reject all other values.

    var id = req.params.id.match(/[A-Z]+/i
    id = id[0] || null

if (id) {
  // read file `id`
}

    This will clean your input only allowing upper and lower case alpha characters. You could also test the input for a valid characters instead of just cleaning it.

    var reg = /^[A-Z]+$/i


if (reg.test(req.params.id)) {
  // read file `req.params.id`
}

    Also note: You will never be able to get ../.. as a value for id, as it would not match your routing.

    You can see more info about the routing via req.route

    Example of your route would be:

    { path: '/games/:id/log',
  method: 'get',
  callbacks: [ [Function] ],
  keys: [ { name: 'id', optional: false } ],
  regexp: /^\/games\/(?:([^\/]+?))\/log\/?$/i,
  params: [ id: 'asd' ] } [ id: 'asd' ]
}

    http://expressjs.com/api.html#req.route

    • 0