File Download Validator

Easy+50 XPA05:2021 Security MisconfigurationCWE-22

Path TraversalLFIFile Access

Scenario

A file-download endpoint accepts a filename parameter and serves the file from a designated base directory.

The handler naively concatenates the base directory with the user-supplied filename — no sanitisation is applied.

An attacker supplies ../../../etc/passwd as the filename, escaping the base directory entirely and reading arbitrary files from the server.

Path traversal is consistently in the OWASP Top 10. A single unsanitised filename parameter can expose /etc/passwd, SSH keys, environment files, and application secrets.

Your Tasks

Fix getSafePath so it rejects filenames that escape the base directory.
Throw an error with the message 'Path traversal detected' when the resolved path does not start with baseDir.
Return the resolved absolute path string when the filename is safe.

Examples

Example 1 — Blocked — traversal attempt

getSafePath('/var/app/uploads', '../../../etc/passwd')
// → throws Error('Path traversal detected')

Example 2 — Allowed — safe filename

getSafePath('/var/app/uploads', 'report.pdf')
// → returns '/var/app/uploads/report.pdf'

Constraints

›Only edit the function body — do not change the function signature.
›Treat paths as pure strings — no filesystem access required.
›Resolve .. segments manually or with path utilities; verify the result starts with baseDir.

Hint

References

CWE-22: Improper Limitation of a Pathname to a Restricted Directory OWASP Path Traversal OWASP A05:2021 Security Misconfiguration

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run