2022-12-22 10:59:18 +00:00
|
|
|
id: generic-path-traversal
|
|
|
|
|
|
|
|
info:
|
2023-07-02 17:40:27 +00:00
|
|
|
name: Generic - Path Traversal
|
2022-12-22 10:59:18 +00:00
|
|
|
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
|
|
|
|
severity: info
|
|
|
|
description: Untrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.
|
|
|
|
tags: file,nodejs
|
|
|
|
|
|
|
|
file:
|
|
|
|
- extensions:
|
|
|
|
- all
|
|
|
|
|
2022-12-22 11:36:43 +00:00
|
|
|
matchers:
|
2022-12-22 10:59:18 +00:00
|
|
|
- type: regex
|
|
|
|
regex:
|
2023-06-28 05:11:36 +00:00
|
|
|
- "[^\\.]*\\.createReadStream\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
|
|
|
|
- "[^\\.]*\\.readFile\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
|
|
|
|
- "[^\\.]*\\.readFileSync\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
|
|
|
|
- "[^\\.]*\\.readFileAsync\\([^\\)]*\\, <[\\s\\S]*?\\> [^\\)]*\\)"
|
2023-07-02 17:40:27 +00:00
|
|
|
condition: or
|