Config File Access

Medium+100 XPA05:2021 Security MisconfigurationCWE-22

Path TraversalLFIFile ExtensionConfig Access

Scenario

A configuration management endpoint lets admins fetch config files by name from a central config directory.

The handler accepts any extension and any path. An attacker requests ../../app/secret.php or ../../etc/passwd.

Two bugs exist: (1) no path traversal check, and (2) no extension allowlist — attackers can read PHP source files, shell scripts, and system files.

Combining extension filtering with path traversal checks is defence-in-depth. Either check alone can be bypassed; together they prevent both direct file disclosure and type confusion attacks.

Your Tasks

Fix getConfigPath to reject traversal attempts and reject disallowed extensions.
Only .json and .yaml extensions are permitted.
Throw an error with the message 'Invalid config file' for bad extension or traversal.

Examples

Example 1 — Blocked — disallowed extension

getConfigPath('/etc/app/configs', 'setup.php')
// → throws Error('Invalid config file')

Example 2 — Blocked — path traversal

getConfigPath('/etc/app/configs', '../../secret.json')
// → throws Error('Invalid config file')

Example 3 — Allowed — safe .json config

getConfigPath('/etc/app/configs', 'database.json')
// → returns '/etc/app/configs/database.json'

Constraints

›Only edit the function body — do not change the function signature.
›Check extension first, then check for path traversal.
›No filesystem access required — return the resolved path string on success.

Hint

References

CWE-22: Improper Limitation of a Pathname to a Restricted Directory CWE-434: Unrestricted Upload of File with Dangerous Type OWASP Path Traversal OWASP File Upload Cheat Sheet

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run