Path Traversal in Express res.render() View Name

High Risk Path Traversal
javascriptexpresstemplatepath-traversalview-injection

What it is

Path traversal vulnerabilities occur when user input is used directly as the template name in res.render() without validation. Attackers can use path traversal sequences to render unauthorized templates, potentially exposing sensitive views, administrative interfaces, or bypassing access controls.

const express = require('express');
const app = express();

// VULNERABLE: template name from user input
app.get('/page/:template', (req, res) => {
    const templateName = req.params.template;
    
    // DANGEROUS: no validation allows path traversal
    res.render(templateName, { 
        title: 'Dynamic Page',
        user: req.user 
    });
});

app.get('/view', (req, res) => {
    const view = req.query.view;
    
    // DANGEROUS: allows path traversal
    res.render(view, { data: req.body });
});

// Attack: /page/../admin/users
// Attack: /view?view=../restricted/secrets
// Attack: /page/../../config/database
const express = require('express');
const app = express();

// Define allowed templates
const ALLOWED_TEMPLATES = {
    'home': 'pages/home',
    'about': 'pages/about', 
    'contact': 'pages/contact',
    'profile': 'user/profile'
};

// SECURE: validate against allowlist
app.get('/page/:template', (req, res) => {
    const templateKey = req.params.template;
    
    // Safe: validate against allowlist
    if (!ALLOWED_TEMPLATES.hasOwnProperty(templateKey)) {
        return res.status(404).render('errors/404');
    }
    
    const templateName = ALLOWED_TEMPLATES[templateKey];
    res.render(templateName, {
        title: 'Page',
        user: req.user
    });
});

app.get('/view', (req, res) => {
    const view = req.query.view;
    
    // Validate against allowlist
    if (!ALLOWED_TEMPLATES.hasOwnProperty(view)) {
        return res.status(400).json({ error: 'Invalid view' });
    }
    
    res.render(ALLOWED_TEMPLATES[view], { data: req.body });
});

💡 Why This Fix Works

The vulnerable code uses user input directly as template names in res.render(), allowing attackers to use path traversal sequences to access unauthorized templates. The secure version validates template names against an allowlist, mapping safe IDs to actual template paths.

Why it happens

Using req.params, req.query, or req.body directly as template names.

Root causes

User Input in Template Names

Using req.params, req.query, or req.body directly as template names.

Missing Template Name Validation

Not validating template names against an allowlist of permitted views.

Dynamic Template Selection

Building template paths dynamically from user input without sanitization.

Fixes

1

Use Template Allowlists

Map user input to predefined template names using an allowlist object.

2

Validate Template Names

Reject template names containing path traversal sequences like '../'.

3

Use Template IDs

Accept template IDs and map them to actual template paths server-side.

Detect This Vulnerability in Your Code

Sourcery automatically identifies path traversal in express res.render() view name and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities