385415 (1) [Avatar] Offline
#1
Hello,

I'm starting reading your book, but i found that the serveStatic function is poorly secured.
It allows an attacker to get files from the system using the commonly known directory traversal vulnerability.
Is this because the code it's just to show the basics about node.js?

I fixed it using:
filePath = 'public' + path.normalize(url.parse(request.url).pathname).replace(/^(\.\.[\/\\])+/, '');

But i am wondering if i have to do this for every type of vulnerability or should i go with express.js since node.js it's just the platform.

I'm planning to introduce this technology to my company, so i have to be sure about all the security features.

What advise can you give me?
Thanks!