Log File Reader

Medium+100 XPA05:2021 Security MisconfigurationCWE-22

Path TraversalLFILog AccessInput Validation

Scenario

A log-viewing API accepts a serviceName and a date parameter, then reads the file at logDir/serviceName/date.log.

Neither parameter is validated. An attacker sets serviceName to ../../etc and date to passwd.

The constructed path becomes logDir/../../etc/passwd.log — close enough to read sensitive files with predictable names.

Log viewers are a frequent target. Multi-segment paths where each segment is user-controlled multiply the attack surface — validating each component independently with an allowlist is the correct defence.

Your Tasks

Fix getLogPath so it validates both serviceName and date against the pattern ^[a-z0-9_-]+$.
Throw an error with the message 'Invalid log path' if either parameter fails validation.
Return the constructed path string when both parameters are valid.

Examples

Example 1 — Blocked — traversal in serviceName

getLogPath('/var/log', '../../etc', 'passwd')
// → throws Error('Invalid log path')

Example 2 — Allowed — valid service and date

getLogPath('/var/log', 'auth-service', '2024-01-15')
// → returns '/var/log/auth-service/2024-01-15.log'

Constraints

›Only edit the function body — do not change the function signature.
›Both serviceName and date must independently match ^[a-z0-9_-]+$.
›No filesystem access required — return the path string for testing.

Hint

References

CWE-22: Improper Limitation of a Pathname to a Restricted Directory CWE-20: Improper Input Validation OWASP Path Traversal OWASP Input Validation Cheat Sheet

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run