fix: add path containment check in View.prototype.lookup()

som14062005 · som14062005 · commit 84d809d4de15 · 2026-03-31T14:13:38.000+05:30
View.prototype.lookup() used path.resolve(root, name) without verifying the resolved path stayed within the configured views directory. This inconsistency with res.sendFile() (which uses the send library root containment check) could allow path traversal when user input is passed to res.render() unsanitized. Added a containment check that skips any resolved path not starting with resolve(root) + sep. Absolute paths are intentionally exempted since Express supports passing absolute paths directly to res.render(). Fixes #7140
diff --git a/lib/view.js b/lib/view.js
@@ -27,6 +27,8 @@ var basename = path.basename;
 var extname = path.extname;
 var join = path.join;
 var resolve = path.resolve;
+var sep = path.sep;
+var isAbsolute = path.isAbsolute;
 
 /**
  * Module exports.
@@ -112,6 +114,13 @@ View.prototype.lookup = function lookup(name) {
 
     // resolve the path
     var loc = resolve(root, name);
+
+    // containment check: only for relative paths — absolute paths are intentional
+    if (!isAbsolute(name) && loc.indexOf(resolve(root) + sep) !== 0) {
+      debug('path traversal attempt blocked: "%s"', loc);
+      continue;
+    }
+
     var dir = dirname(loc);
     var file = basename(loc);
 
@@ -202,4 +211,4 @@ function tryStat(path) {
   } catch (e) {
     return undefined;
   }
-}
+}
