Skip to content

Commit 0857fde

Browse files
RafaelGSSRafaelGSS
committed
doc: clarify fileURLToPath security considerations
Add clarification that fileURLToPath() decodes encoded dot-segments (%2e%2e) which are normalized as path traversal. Applications must perform their own path validation to prevent directory traversal attacks. Also applies to fileURLToPathBuffer().
1 parent 3c92ee1 commit 0857fde

File tree

1 file changed

+23
-0
lines changed

1 file changed

+23
-0
lines changed

doc/api/url.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1329,6 +1329,19 @@ changes:
13291329
This function ensures the correct decodings of percent-encoded characters as
13301330
well as ensuring a cross-platform valid absolute path string.
13311331

1332+
**Security Considerations:**
1333+
1334+
This function decodes percent-encoded characters, including encoded dot-segments
1335+
(`%2e` as `.` and `%2e%2e` as `..`), and then normalizes the resulting path.
1336+
This means that encoded directory traversal sequences (such as `%2e%2e`) are
1337+
decoded and processed as actual path traversal, even though encoded slashes
1338+
(`%2F`, `%5C`) are correctly rejected.
1339+
1340+
**Applications must not rely on `fileURLToPath()` alone to prevent directory
1341+
traversal attacks.** Always perform explicit path validation and security checks
1342+
on the returned path value to ensure it remains within expected boundaries
1343+
before using it for file system operations.
1344+
13321345
```mjs
13331346
import { fileURLToPath } from 'node:url';
13341347

@@ -1384,6 +1397,15 @@ representation of the path, a `Buffer` is returned. This conversion is
13841397
helpful when the input URL contains percent-encoded segments that are
13851398
not valid UTF-8 / Unicode sequences.
13861399
1400+
**Security Considerations:**
1401+
1402+
This function has the same security considerations as [`url.fileURLToPath()`][].
1403+
It decodes percent-encoded characters, including encoded dot-segments
1404+
(`%2e` as `.` and `%2e%2e` as `..`), and normalizes the path. **Applications
1405+
must not rely on this function alone to prevent directory traversal attacks.**
1406+
Always perform explicit path validation on the returned buffer value before
1407+
using it for file system operations.
1408+
13871409
### `url.format(URL[, options])`
13881410
13891411
<!-- YAML
@@ -2014,6 +2036,7 @@ console.log(myURL.origin);
20142036
[`querystring`]: querystring.md
20152037
[`url.domainToASCII()`]: #urldomaintoasciidomain
20162038
[`url.domainToUnicode()`]: #urldomaintounicodedomain
2039+
[`url.fileURLToPath()`]: #urlfileurltopathurl-options
20172040
[`url.format()`]: #urlformaturlobject
20182041
[`url.href`]: #urlhref
20192042
[`url.parse()`]: #urlparseurlstring-parsequerystring-slashesdenotehost

0 commit comments

Comments
 (0)