Path Traversal Issue Fix in Nodejs

Question

Below is the image consist of lines of code that represents uploading a file(s) in nodejs (koa framework). It is working fine. But one vulnerability arises from the line "const readStream = fs.createReadStream(file.filepath);" in Veracode portal. I am confused how to fix this. Any help would be appreciated!

Below is the code:

const uploads = [];

const files = ctx.request.files;

for (let i = 0; i < Object.keys(files).length; i++) {
  const file = files[`file-${i}`];

  if (file) uploads.push(file);
}

if (uploads.length == 0) {
  ctx.log.error(NO_FILES);

  ctx.status = 404;

  return ctx;
}

for (const element of uploads) {
  const file = element;

  const readStream = fs.createReadStream(file.filepath);

  const key =
    file.filepath.substring(file.filepath.lastIndexOf("/") + 1) +
    file.filepath.substring(file.filepath.lastIndexOf("."));

  const params = {
    Body: readStream,

    Bucket: bucketName,

    ContentType: file.mimetype,

    Key: key,

    Metadata: { landParcelId },
  };

  let attach_url;

  try {
    const upload = s3.upload(params);

    const res = await upload.promise();

    attach_url = res.Location;
  } catch (err) {
    ctx.log.error(err);

    ctx.status = 500;

    return ctx;
  }

  attachments.push({
    landParcelId,

    description: file.originalFilename,

    fileName: file.originalFilename,

    typeId: ctx.request.body.documentType,

    fileType: file.mimetype,

    url: attach_url,
  });
}

try {
  await landAttachment.bulkCreate(attachments);
} catch (err) {
  ctx.log.error(err);

  ctx.status = 500;

  return ctx;
}

ctx.status = 200;

Image is not clear when made big, share better resolution image — Bharath, Nov 28 '22 at 06:45
@partha-chowdhury Instead of sharing an image with the code it might be easier for all of us if you can provide the code itself ... thank you in advance. — Sebastian Hildebrandt, Nov 28 '22 at 07:21

Path Traversal Issue Fix in Nodejs

0 Answers0