From 6399f9e61a9257d8165dcfe65d0346b449c23e7c Mon Sep 17 00:00:00 2001 From: Eric Fortis Date: Sat, 15 Feb 2025 13:46:25 -0400 Subject: [PATCH 1/4] =?UTF-8?q?doc:=20clarify=20path.isAbsolute=20doesn?= =?UTF-8?q?=E2=80=99t=20resolve=20paths?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/api/path.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/doc/api/path.md b/doc/api/path.md index eb558e73592e4d..f7b716835794e3 100644 --- a/doc/api/path.md +++ b/doc/api/path.md @@ -317,17 +317,20 @@ added: v0.11.2 * `path` {string} * Returns: {boolean} -The `path.isAbsolute()` method determines if `path` is an absolute path. +The `path.isAbsolute()` method determines if the literal (non-resolved) `path` +is an absolute path. Therefore, it’s likely that you want to run it through +`path.normalize()` before using it in `path.join()` or `path.isAbsolute()`. If the given `path` is a zero-length string, `false` will be returned. For example, on POSIX: ```js -path.isAbsolute('/foo/bar'); // true -path.isAbsolute('/baz/..'); // true -path.isAbsolute('qux/'); // false -path.isAbsolute('.'); // false +path.isAbsolute('/foo/bar'); // true +path.isAbsolute('/baz/..'); // true +path.isAbsolute('/baz/../..'); // true (doesn’t resolve) +path.isAbsolute('qux/'); // false +path.isAbsolute('.'); // false ``` On Windows: From 7cbdcbb9d4673122dd25e5d7856bb614aa8a352b Mon Sep 17 00:00:00 2001 From: Eric Fortis Date: Sun, 16 Feb 2025 12:20:53 -0400 Subject: [PATCH 2/4] =?UTF-8?q?doc:=20clarify=20path.isAbsolute=20doesn?= =?UTF-8?q?=E2=80=99t=20resolve=20paths?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/api/path.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/doc/api/path.md b/doc/api/path.md index f7b716835794e3..84ebd4fb6f9840 100644 --- a/doc/api/path.md +++ b/doc/api/path.md @@ -317,9 +317,18 @@ added: v0.11.2 * `path` {string} * Returns: {boolean} -The `path.isAbsolute()` method determines if the literal (non-resolved) `path` -is an absolute path. Therefore, it’s likely that you want to run it through -`path.normalize()` before using it in `path.join()` or `path.isAbsolute()`. +The `path.isAbsolute()` method determines if the literal (non-resolved) `path` is an +absolute path. Therefore, it’s likely that you want to run it through `path.normalize()` +if your plan is to use it as a subpath in order to mitigate path traversals. For example: + +```js +// Normalizing the subpath mitigates traversing above the mount directory. +const mySubpath = path.normalize('/foo/../..'); +if (path.isAbsolute(mySubpath)) { + const myPath = path.join(MOUNT_DIR, mySubpath) +} +``` + If the given `path` is a zero-length string, `false` will be returned. From f79fbba98db6e22ab8e1c4f925f032ac8ce63519 Mon Sep 17 00:00:00 2001 From: Eric Fortis Date: Sat, 1 Mar 2025 22:10:38 -0400 Subject: [PATCH 3/4] =?UTF-8?q?doc:=20clarify=20path.isAbsolute=20doesn?= =?UTF-8?q?=E2=80=99t=20resolve=20paths?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/api/path.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/doc/api/path.md b/doc/api/path.md index 84ebd4fb6f9840..a6924266252435 100644 --- a/doc/api/path.md +++ b/doc/api/path.md @@ -317,27 +317,27 @@ added: v0.11.2 * `path` {string} * Returns: {boolean} -The `path.isAbsolute()` method determines if the literal (non-resolved) `path` is an -absolute path. Therefore, it’s likely that you want to run it through `path.normalize()` -if your plan is to use it as a subpath in order to mitigate path traversals. For example: +The `path.isAbsolute()` method determines if the literal `path` is absolute. +Therefore, it’s not safe for mitigating path traversals without normalizing it. ```js -// Normalizing the subpath mitigates traversing above the mount directory. -const mySubpath = path.normalize('/foo/../..'); -if (path.isAbsolute(mySubpath)) { - const myPath = path.join(MOUNT_DIR, mySubpath) +// Normalizing the subpath mitigates traversing above the mount directory +const subpath = '/foo/../..' +if (!path.isAbsolute(path.normalize(subpath))) { + throw 'FORBIDDEN' } +const myPath = path.join(MOUNT_DIR, subpath) ``` If the given `path` is a zero-length string, `false` will be returned. -For example, on POSIX: +On POSIX: ```js path.isAbsolute('/foo/bar'); // true path.isAbsolute('/baz/..'); // true -path.isAbsolute('/baz/../..'); // true (doesn’t resolve) +path.isAbsolute('/baz/../..'); // true path.isAbsolute('qux/'); // false path.isAbsolute('.'); // false ``` From b68f49b105f8385faf70b145e64343434087af6e Mon Sep 17 00:00:00 2001 From: Eric Fortis Date: Sun, 2 Mar 2025 11:56:51 -0400 Subject: [PATCH 4/4] =?UTF-8?q?doc:=20clarify=20path.isAbsolute=20doesn?= =?UTF-8?q?=E2=80=99t=20resolve=20paths?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/api/path.md | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/doc/api/path.md b/doc/api/path.md index a6924266252435..2c8398c877572d 100644 --- a/doc/api/path.md +++ b/doc/api/path.md @@ -318,21 +318,11 @@ added: v0.11.2 * Returns: {boolean} The `path.isAbsolute()` method determines if the literal `path` is absolute. -Therefore, it’s not safe for mitigating path traversals without normalizing it. - -```js -// Normalizing the subpath mitigates traversing above the mount directory -const subpath = '/foo/../..' -if (!path.isAbsolute(path.normalize(subpath))) { - throw 'FORBIDDEN' -} -const myPath = path.join(MOUNT_DIR, subpath) -``` - +Therefore, it’s not safe for mitigating path traversals. If the given `path` is a zero-length string, `false` will be returned. -On POSIX: +For example, on POSIX: ```js path.isAbsolute('/foo/bar'); // true