Symlink Escape

Hard+200 XPA05:2021 Security MisconfigurationCWE-22

Path TraversalSymlinkDirectory EscapeString Resolution

Scenario

A file server validates user-supplied paths by checking whether the combined path string starts with the base directory prefix.

An attacker submits /safe/../../../etc/passwd. The naive prefix check passes (/basedir/safe starts with /basedir), but after resolving .. segments the path escapes the base directory.

This class of bug defeats simple string-prefix checks and is the root cause of many real-world path traversal vulnerabilities.

Prefix-only checks are a deceptively easy mistake. The fix requires understanding that path resolution must happen before validation — a subtle ordering bug with critical security consequences.

Your Tasks

Fix validateFilePath so it properly resolves all '..' segments before checking the prefix.
Throw an error with the message 'Path traversal detected' when the resolved path escapes baseDir.
Return the resolved path on success.

Examples

Example 1 — Blocked — passes naive prefix check but escapes after resolution

validateFilePath('/var/app', 'safe/../../../etc/passwd')
// naive: '/var/app/safe' starts with '/var/app' → passes
// resolved: '/etc/passwd' — does NOT start with '/var/app'
// → throws Error('Path traversal detected')

Example 2 — Allowed — clean nested path

validateFilePath('/var/app', 'data/reports/q1.pdf')
// → returns '/var/app/data/reports/q1.pdf'

Constraints

›Only edit the function body — do not change the function signature.
›Resolution must be done by processing path segments, not by relying on OS calls.
›The prefix check must occur AFTER full resolution, not before.

Hint

References

CWE-22: Improper Limitation of a Pathname to a Restricted Directory OWASP Path Traversal — Bypass via String Prefix OWASP A05:2021 Security Misconfiguration

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run