You are previewing Node Cookbook.

Node Cookbook

Cover of Node Cookbook by David Mark Clements Published by Packt Publishing
  1. Node Cookbook
    1. Node Cookbook
    2. Credits
    3. About the Author
    4. About the Reviewers
    5. www.PacktPub.com
      1. Support files, eBooks, discount offers and more
    6. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
      7. Downloading the example code
      8. Errata
      9. Piracy
      10. Questions
    7. 1. Making a Web Server
      1. Introduction
      2. Setting up a router
      3. Serving static files
      4. Caching content in memory for immediate delivery
      5. Optimizing performance with streaming
      6. Securing against filesystem hacking exploits
    8. 2. Exploring the HTTP Object
      1. Introduction
      2. Processing POST data
      3. Handling file uploads
      4. Using Node as an HTTP client
      5. Implementing download throttling
    9. 3. Working with Data Serialization
      1. Introduction
      2. Converting an object to JSON and back again
      3. Converting an object to XML and back again
      4. Browser-server transmission via AJAX
      5. Working with real data: fetching trending tweets
    10. 4. Interfacing with Databases
      1. Introduction
      2. Writing to a CSV file
      3. Connecting and sending SQL to a MySQL server
      4. Storing and retrieving data with MongoDB
      5. Storing and retrieving data with Mongoskin
      6. Storing data to CouchDB with Cradle
      7. Retrieving data from CouchDB with Cradle
      8. Accessing CouchDB changes stream with Cradle
      9. Storing and retrieving data with Redis
      10. Implementing PubSub with Redis
    11. 5. Transcending AJAX: Using WebSockets
      1. Introduction
      2. Creating a WebSocket server
      3. Seamless fallbacking with socket.io
      4. Callbacks over socket.io transport
      5. Creating a real-time widget
    12. 6. Accelerating Development with Express
      1. Introduction
      2. Generating Express scaffolding
      3. Defining and applying environments
      4. Dynamic routing
      5. Templating in Express
      6. CSS engines with Express
      7. Initializing and using a session
      8. Making an Express web app
    13. 7. Implementing Security, Encryption, and Authentication
      1. Introduction
      2. Implementing Basic Authentication
      3. Cryptographic password hashing
      4. Implementing Digest Authentication
      5. Setting up an HTTPS web server
      6. Preventing cross-site request forgery
    14. 8. Integrating Network Paradigms
      1. Introduction
      2. Sending email
      3. Sending SMS
      4. Communicating with TCP
      5. Creating an SMTP server
      6. Implementing a virtual hosting paradigm
    15. 9. Writing Your Own Node Modules
      1. Introduction
      2. Creating a test-driven module API
      3. Writing a functional module mock-up
      4. Refactoring from functional to prototypical
      5. Extending the module's API
      6. Deploying a module to npm
    16. 10. Taking It Live
      1. Introduction
      2. Deploying to a server environment
      3. Automatic crash recovery
      4. Continuous deployment
      5. Hosting with a Platform as a Service provider
O'Reilly logo

Securing against filesystem hacking exploits

For a Node app to be insecure, there must be something an attacker can interact with for exploitation purposes. Due to Node's minimalist approach, the onus is mostly on programmers to ensure their implementation doesn't expose security flaws. This recipe will help identify some security risk anti-patterns that could occur when working with the filesystem.

Getting ready

We'll be working with the same content directory as in the previous recipes, but we'll start a new insecure_server.js file (there's a clue in the name!) from scratch to demonstrate mistaken techniques.

How to do it...

Our previous static file recipes tend to use path.basename to acquire a route, but this flat levels all request. If we accessed ...

The best content for your career. Discover unlimited learning on demand for around $1/day.