𝗽𝗮𝘁𝗵.𝗷𝗼𝗶𝗻() 𝗜𝘀 𝗡𝗼𝘁 𝗣𝗮𝘁𝗵 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻

𝗽𝗮𝘁𝗵.𝗷𝗼𝗶𝗻() 𝗜𝘀 𝗡𝗼𝘁 𝗣𝗮𝘁𝗵 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻

You think path.join() keeps your files safe. It does not. It is a string helper. It is not a security tool.

Attackers use ../ to leave your folder. They move up one level at a time. They read your .env files. They read your system passwords.

Stop this bug with these steps:

• Resolve the absolute path first.
• Check if the path starts with your base folder.
• Use an allowlist for filenames.
• Run your app with low permissions.

Prepending a trusted folder is not a sandbox. Check your paths before you read the disk.

Source: https://dev.to/oopssec-store/pathjoin-is-not-path-validation-a-nextjs-traversal-walkthrough-3na0