Path traversal and Null Byte attack prevention

[lukeabennett]

Hello,

I'm working on a project that requires us to verify that we are following security practices documented within OWASP guidelines.
The two attack vectors from this doc that I am focused on are Path traversal and Null Byte attacks.

Nodejs provides a simple doc with an explanation of these attacks, and makes it clear that the developer should put checks in place to prevent these. https://nodejs.org/en/knowledge/file-system/security/introduction/

I am keen to find out whether the Next.js framework provides any protection against these exploits for us. I have scanned the Next.js docs for details around these two attacks and couldn't find anything of use. I did see that Next.js versions <9.3.2 are vulnerable to a path traversal attack, but no other details are available.

1. Does Next.js have built in Path Traversal attack prevention?
2. Similar question for the Null Byte attack, does Next.js have built in Null Byte attack prevention?
3. Is there any other path traversal or null byte prevention that is built in for other user provided data such as form fields or cookie data?

For additional context, we have two apps running Next.js with React.
One at v.9.3.5.
The other at v.9.2.0 which is more than likely to be updated to at least 9.3.2 given the path traversal vulnerability.

Many thanks,
Luke

[Timer]

Next.js has null byte prevention as well as path traversal prevention.

We also test the framework itself is not vulnerable to user-input (XSS) attacks.

Furthermore, we have very comprehensive path traversal tests since the <9.3.2 vulnerability was found.

[lukeabennett]

Hi Timer,

Thank you for your quick response and for the links to the code for the security checks and tests.

In my haste I forgot to mention that we start our app through express, in a manner similar to that in this example. https://levelup.gitconnected.com/set-up-next-js-with-a-custom-express-server-typescript-9096d819da1c

By doing this, do you know if Next.js would still handle the path traversal and null byte prevention for us, or should I be looking at how express manages these vulnerabilities as express will be called first?

Thanks again,
Luke

[Timer]

You'll need to harden and test your custom (express) server yourself, as Next.js is not in control of that. Do note, modern-day Next.js should never require a custom server, and they can almost always be removed.