Javascript Snippet #03

In this Code Review Snippet challenge, you are presented with a small piece of JavaScript code that is vulnerable. The code utilizes the Express framework to create a route for file downloads. It attempts to sanitize the filename parameter by replacing instances of /.. with an empty string before sending the file back to the client. However, the sanitization is insufficient because it is not applied recursively.

The video walks you through the code, explaining how the regular expression works and why it fails to prevent path traversal attacks. By replacing /.. only once, an attacker can craft a filename that bypasses the filter and accesses arbitrary files on the server. For instance, a filename like //....//....//..../etc/passwd will be only partially sanitized, allowing the attacker to read sensitive files.