Skip to content

doc: clarify fileURLToPath security considerations #60887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nodejs-github-bot merged 1 commit into from
Nov 30, 2025
Merged

doc: clarify fileURLToPath security considerations #60887

nodejs-github-bot merged 1 commit into from
Nov 30, 2025
+23 −0

Conversation

@RafaelGSS
Copy link
Member

@RafaelGSS RafaelGSS commented Nov 28, 2025

Add clarification that fileURLToPath() decodes encoded dot-segments (%2e%2e) which are normalized as path traversal. Applications must perform their own path validation to prevent directory traversal attacks.

Also applies to fileURLToPathBuffer().

cc: @targos @mcollina

@RafaelGSS
doc: clarify fileURLToPath security considerations
0857fde 
Add clarification that fileURLToPath() decodes encoded
dot-segments (%2e%2e) which are normalized as path traversal.
Applications must perform their own path validation to
prevent directory traversal attacks.

Also applies to fileURLToPathBuffer().
@nodejs-github-bot nodejs-github-bot added doc Issues and PRs related to the documentations. url Issues and PRs related to the legacy built-in url module. labels Nov 28, 2025
@RafaelGSS RafaelGSS added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue Add this label to land a pull request using GitHub Actions. labels Nov 29, 2025
mcollina
mcollina approved these changes Nov 29, 2025
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Nov 30, 2025
@nodejs-github-bot nodejs-github-bot merged commit 6f7f51b into nodejs:main Nov 30, 2025
32 checks passed
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 30, 2025

Landed in 6f7f51b

targos pushed a commit that referenced this pull request Dec 5, 2025
@RafaelGSS @targos
doc: clarify fileURLToPath security considerations
f7effb2 
Add clarification that fileURLToPath() decodes encoded
dot-segments (%2e%2e) which are normalized as path traversal.
Applications must perform their own path validation to
prevent directory traversal attacks.

Also applies to fileURLToPathBuffer().

PR-URL: #60887
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollina mcollina mcollina approved these changes

@lpinca lpinca lpinca approved these changes

@cjihrig cjihrig cjihrig approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. doc Issues and PRs related to the documentations. url Issues and PRs related to the legacy built-in url module.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@RafaelGSS @nodejs-github-bot @mcollina @lpinca @cjihrig @marco-ippolito