For a Node app to be insecure, there must be something an attacker can interact with for exploitation purposes. Due to Node's minimalist approach, the onus is mostly on programmers to ensure their implementation doesn't expose security flaws. This recipe will help identify some security risk anti-patterns that could occur when working with the filesystem.
We'll be working with the same
content directory as in the previous recipes, but we'll start a new
insecure_server.js file (there's a clue in the name!) from scratch to demonstrate mistaken techniques.
Our previous static file recipes tend to use
path.basename to acquire a route, but this flat levels all request. If we accessed ...