For a Node app to be insecure, there must be something an attacker can interact with for exploitation purposes. Due to Node's minimalist approach, the onus is on the programmer to ensure that their implementation doesn't expose security flaws. This recipe will help identify some security risk anti-patterns that could occur when working with the filesystem.
We'll be working with the same
content directory as we did in the previous recipes. But we'll start a new
insecure_server.js file (there's a clue in the name!) from scratch to demonstrate mistaken techniques.
Our previous static file recipes tend to use
path.basename to acquire a route, but this ignores intermediate paths. ...