path-traversallisted

# Path Traversal & Zip Slip Detection ## When to Use Audit archive extraction libraries, file upload handlers, static file servers, file path utilities, and any package that writes files based on user-controlled names. ~85% CVE acceptance rate when confirmed. ## Key Insight `path.join()` does NOT prevent `..` traversal in Node.js: ```js path.join('/uploads', '../../../etc/passwd') // Returns: '/etc/passwd' -- NOT '/uploads/etc/passwd' ``` `path.resolve()` returns an absolute path but also does NOT validate that it stays within a base directory. ## Variants ### 1. Classic Path Traversal User controls a filename/path parameter that is concatenated with a base directory: ```js const filePath = path.join(uploadDir, req.params.filename); fs.readFileSync(filePath); // ../../../etc/passwd ``` ### 2. Zip Slip Malicious archive entries contain `../` in their filenames. During extraction, files are written outside the intended directory: ``` malicious.zip contains: ../../../../tmp/pwned.txt ``` ### 3. Symlink Following Archive contains a symlink pointing outside the target directory, then a file targeting that symlink. During extraction, the file follows the symlink and writes to an arbitrary location. ### 4. Backslash Bypass On Windows or with naive path checks, `..\` bypasses `../` filtering: ```js filename = "..\\..\\..\\etc\\passwd" ``` ### 5. URL Encoding Bypass ``` %2e%2e%2f = ../ %2e%2e/ = ../ ..%2f = ../ Double encoding: %252e%252e%252f ``` ### 6. Null Byte (Lega