fix: prevent path traversal via directory prefix collision in _joinDirectoryName (#1062)

vnykmshr · web-flow · commit 720cdfdfb9d8 · 2026-02-18T05:22:37.000+02:00
The startsWith check compared string prefixes, not filesystem paths. When uploadDir lacks a trailing separator (the default), sibling directories sharing the same prefix bypass the check. Use path.resolve + path.sep to ensure the resolved path is inside the upload directory, not just sharing a string prefix. Fixes #1061
diff --git a/src/Formidable.js b/src/Formidable.js
@@ -596,14 +596,17 @@ class IncomingForm extends EventEmitter {
   }
 
   _joinDirectoryName(name) {
-    const newPath = path.join(this.uploadDir, name);
+    const resolvedDir = path.resolve(this.uploadDir);
+    const resolvedPath = path.resolve(resolvedDir, name);
 
     // prevent directory traversal attacks
-    if (!newPath.startsWith(this.uploadDir)) {
+    // use resolvedDir + path.sep to avoid prefix collisions with sibling directories
+    // e.g. uploadDir "/tmp/uploads" should not allow writes to "/tmp/uploads-evil/"
+    if (resolvedPath === resolvedDir || !resolvedPath.startsWith(resolvedDir + path.sep)) {
       return path.join(this.uploadDir, this.options.defaultInvalidName);
     }
 
-    return newPath;
+    return resolvedPath;
   }
 
   _setUpRename() {
diff --git a/test/unit/formidable.test.js b/test/unit/formidable.test.js
@@ -307,4 +307,28 @@ function makeHeader(originalFilename) {
   //     originalFilename: (_) => path.join(__dirname, 'sasa'),
   //   });
   // });
+
+  test(`${name}#_joinDirectoryName blocks standard directory traversal`, () => {
+    const form = getForm(name, { uploadDir: '/tmp/uploads' });
+    const result = form._joinDirectoryName('../../../etc/passwd');
+    expect(result).toBe(path.join('/tmp/uploads', 'invalid-name'));
+  });
+
+  test(`${name}#_joinDirectoryName blocks sibling directory prefix collision`, () => {
+    const form = getForm(name, { uploadDir: '/tmp/uploads' });
+    const result = form._joinDirectoryName('../uploads-evil/payload.sh');
+    expect(result).toBe(path.join('/tmp/uploads', 'invalid-name'));
+  });
+
+  test(`${name}#_joinDirectoryName allows subdirectories within uploadDir`, () => {
+    const form = getForm(name, { uploadDir: '/tmp/uploads' });
+    const result = form._joinDirectoryName('images/photo.jpg');
+    expect(result).toBe(path.resolve('/tmp/uploads', 'images/photo.jpg'));
+  });
+
+  test(`${name}#_joinDirectoryName blocks name resolving to uploadDir itself`, () => {
+    const form = getForm(name, { uploadDir: '/tmp/uploads' });
+    const result = form._joinDirectoryName('.');
+    expect(result).toBe(path.join('/tmp/uploads', 'invalid-name'));
+  });
 });

Original file line number	Diff line number	Diff line change
`@@ -596,14 +596,17 @@ class IncomingForm extends EventEmitter {`
`596`	`596`	`}`
`597`	`597`
`598`	`598`	`_joinDirectoryName(name) {`
`599`		`- const newPath = path.join(this.uploadDir, name);`
	`599`	`+ const resolvedDir = path.resolve(this.uploadDir);`
	`600`	`+ const resolvedPath = path.resolve(resolvedDir, name);`
`600`	`601`
`601`	`602`	`// prevent directory traversal attacks`
`602`		`- if (!newPath.startsWith(this.uploadDir)) {`
	`603`	`+ // use resolvedDir + path.sep to avoid prefix collisions with sibling directories`
	`604`	`+ // e.g. uploadDir "/tmp/uploads" should not allow writes to "/tmp/uploads-evil/"`
	`605`	`+ if (resolvedPath === resolvedDir \|\| !resolvedPath.startsWith(resolvedDir + path.sep)) {`
`603`	`606`	`return path.join(this.uploadDir, this.options.defaultInvalidName);`
`604`	`607`	`}`
`605`	`608`
`606`		`- return newPath;`
	`609`	`+ return resolvedPath;`
`607`	`610`	`}`
`608`	`611`
`609`	`612`	`_setUpRename() {`