secure-express-setup/lib/pathTraversal.js

Military-grade one-command security setup for Express.js applications

const path = require('path');

function setupPathTraversal() {
  return (req, res, next) => {
    const pathTraversalPatterns = [
      /\.\./g,
      /\.\\\\/g,
      /%2e%2e/gi,
      /%252e%252e/gi,
      /\.\.%2f/gi,
      /\.\.%5c/gi
    ];

    const checkForPathTraversal = (value) => {
      if (typeof value === 'string') {
        return pathTraversalPatterns.some(pattern => pattern.test(value));
      }
      return false;
    };

    const allInputs = { ...req.body, ...req.query, ...req.params, url: req.url };
    
    for (const [key, value] of Object.entries(allInputs)) {
      if (checkForPathTraversal(value)) {
        console.warn(`🚨 Path traversal attempt detected in ${key}: ${value}`);
        return res.status(400).json({ 
          error: 'Invalid path detected',
          field: key
        });
      }
    }

    next();
  };
}

module.exports = setupPathTraversal;