Juicy Shop
Path Traversal in File Download
Vulnerability
The download handler joins an attacker-controlled filename onto the uploads directory without confirming the result stays inside it. Because path.join resolves ../ sequences, a name like ../../../../etc/passwd escapes UPLOADS_DIR and reads arbitrary files the process can access — source code, configuration, secrets, or the system password file. This is a directory/path traversal leading to arbitrary file read.
Exploit Steps
- Locate the file-download endpoint that takes a filename parameter
- Replace the filename with ../../../../etc/passwd (URL-encoded if needed)
- Send the request
- The server returns the contents of files outside the uploads directory
Tools: Burp Suite, curl, dotdotpwn
Mitigation & Solution
Canonicalise the final path with resolve() and verify it is still prefixed by the uploads directory (plus a separator) before reading. Prefer mapping an opaque ID to a stored filename instead of accepting raw names, reject names containing path separators or '..', and run the service with least-privilege filesystem access.
Coding Challenge
Find It
File: apps/juicy-shop/src/security-examples/path-traversal.ts
Click the line that contains the vulnerability: