Template Loader

Easy+50 XPA05:2021 Security MisconfigurationCWE-22

Path TraversalLFITemplate Engine

Scenario

A web application dynamically loads HTML templates by name. The template loader concatenates a base templates directory with the user-supplied template name.

No path sanitisation is applied. An attacker passes ../../config/database.yml as the template name.

The server reads and returns the database credentials file instead of a template.

Template loaders are a common vector for LFI. Exposing arbitrary file reads via template names can leak credentials, private keys, and application source code.

Your Tasks

Fix loadTemplate so it rejects template names that escape the templates directory.
Throw an error with the message 'Invalid template path' when traversal is detected.
Return the resolved path string on success (no filesystem reads required for testing).

Examples

Example 1 — Blocked — traversal attempt

loadTemplate('/app/templates', '../../config/db.yml')
// → throws Error('Invalid template path')

Example 2 — Allowed — valid template name

loadTemplate('/app/templates', 'email/welcome.html')
// → returns '/app/templates/email/welcome.html'

Constraints

›Only edit the function body — do not change the function signature.
›Treat paths as pure strings; resolve '..' segments and verify the result starts with templatesDir.
›The check must be applied before any file read operation.

Hint

References

CWE-22: Improper Limitation of a Pathname to a Restricted Directory OWASP Path Traversal OWASP A05:2021 Security Misconfiguration

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run