Avoid using unsanitized user input with sendFile

Metadata

ID: typescript-express/external-filename-upload

Language: TypeScript

Severity: Warning

Category: Security

Description

Using unsanitized user input in a sendFile method can allow attackers to access unintended resources.

Set the root option directly in your sendFile options will make this rule not report a violation.

Learn More

Non-Compliant Code Examples

app.post("/upload", (req: Request, res: Response) => {
    res.sendFile(req.params.filename)

    res.sendFile(req.params.filename, { maxAge: 0 })

    res.sendFile(req.params.filename, { maxAge: 0 }, (err) => console.log(err))
})

Compliant Code Examples

app.post("/upload", (req: Request, res: Response) => {
    res.sendFile("foo")

    const options = { maxAge: 0, root: path.join(__dirname, "upload") }

    res.sendFile(req.params.filename, options)
    res.sendFile(req.params.filename, { maxAge: 0, root: path.join(__dirname, "upload") })

    res.sendFile(req.params.filename, options, (err) => console.log(err))
    res.sendFile(req.params.filename, { maxAge: 0, root: path.join(__dirname, "upload") }, (err) => console.log(err))
})