Juicy Shop

Path Traversal in File Download

Input ValidationA01:2021 – Broken Access Controlhigh

Vulnerability

The download handler joins an attacker-controlled filename onto the uploads directory without confirming the result stays inside it. Because path.join resolves ../ sequences, a name like ../../../../etc/passwd escapes UPLOADS_DIR and reads arbitrary files the process can access — source code, configuration, secrets, or the system password file. This is a directory/path traversal leading to arbitrary file read.

Exploit Steps

  1. Locate the file-download endpoint that takes a filename parameter
  2. Replace the filename with ../../../../etc/passwd (URL-encoded if needed)
  3. Send the request
  4. The server returns the contents of files outside the uploads directory

Tools: Burp Suite, curl, dotdotpwn

Mitigation & Solution

Canonicalise the final path with resolve() and verify it is still prefixed by the uploads directory (plus a separator) before reading. Prefer mapping an opaque ID to a stored filename instead of accepting raw names, reject names containing path separators or '..', and run the service with least-privilege filesystem access.

Coding Challenge

Find It

File: apps/juicy-shop/src/security-examples/path-traversal.ts

Click the line that contains the vulnerability:

Fix It