Is this method of static file serving safe in node.js? (potential security hole?)

Posted by MikeC8 on Stack Overflow See other posts from Stack Overflow or by MikeC8
Published on 2012-06-01T16:36:56Z Indexed on 2012/06/01 16:40 UTC
Read the original article Hit count: 187

Filed under:

node.js

I want to create the simplest node.js server to serve static files.

Here's what I came up with:

fs = require('fs');
server = require('http').createServer(function(req, res) {
    res.end(fs.readFileSync(__dirname + '/public/' + req.url));
});
server.listen(8080);

Clearly this would map http://localhost:8080/index.html to project_dir/public/index.html, and similarly so for all other files.

My one concern is that someone could abuse this to access files outside of project_dir/public. Something like this, for example:

http://localhost:8080/../../sensitive_file.txt

I tried this a little bit, and it wasn't working. But, it seems like my browser was removing the ".." itself. Which leads me to believe that someone could abuse my poor little node.js server.

I know there are npm packages that do static file serving. But I'm actually curious to write my own here. So my questions are:

Is this safe?
If so, why? If not, why not?
And, if further, if not, what is the "right" way to do this? My one constraint is I don't want to have to have an if clause for each possible file, I want the server to serve whatever files I throw in a directory.

Related posts about node.js

Node.js Adventure - Node.js on Windows

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Two weeks ago I had had a talk with Wang Tao, a C# MVP in China who is currently running his startup company and product named worktile. He asked me to figure out a synchronization solution which helps his product in the future. And he preferred me implementing the service in Node.js, since his worktile… >>> More
Node.js Adventure - Host Node.js on Windows Azure Worker Role

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
In my previous post I demonstrated about how to develop and deploy a Node.js application on Windows Azure Web Site (a.k.a. WAWS). WAWS is a new feature in Windows Azure platform. Since it’s low-cost, and it provides IIS and IISNode components so that we can host our Node.js application though Git… >>> More
Sending data through POST request from a node.js server to a node.js server

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm trying to send data through a POST request from a node.js server to another node.js server. What I do in the "client" node.js is the following: var options = { host: 'my.url', port: 80, path: '/login', method: 'POST' }; var req = http.request(options, function(res){ console… >>> More
node.js on multi-core machines

as seen on Stack Overflow - Search for 'Stack Overflow'
node.js looks interesting BUT... I must miss something - isn't node.js tuned only to run on a single process & thread? Then how does it scale for multi-core CPUs and multi-CPU servers? After all, it is all great to make fast as possible single-thread server, but for high loads I would want to… >>> More
Node.js as a custom (streaming) upload handler for Django

as seen on Stack Overflow - Search for 'Stack Overflow'
I want to build an upload-centric app using Django. One way to do this is with nginx's upload module (nonblocking) but it has its problems. Node.js is supposed to be a good candidate for this type of application. But how can I make node.js act as an upload_handler() for Django (http://docs.djangoproject… >>> More

Developer IT