Skip to content

doc: clarify fileURLToPath security considerations #60887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

doc: clarify fileURLToPath security considerations #60887

wants to merge 1 commit into from
+23 −0

Conversation

@RafaelGSS
Copy link
Member

@RafaelGSS RafaelGSS commented Nov 28, 2025

Add clarification that fileURLToPath() decodes encoded dot-segments (%2e%2e) which are normalized as path traversal. Applications must perform their own path validation to prevent directory traversal attacks.

Also applies to fileURLToPathBuffer().

cc: @targos @mcollina

@RafaelGSS
doc: clarify fileURLToPath security considerations
0857fde 
Add clarification that fileURLToPath() decodes encoded
dot-segments (%2e%2e) which are normalized as path traversal.
Applications must perform their own path validation to
prevent directory traversal attacks.

Also applies to fileURLToPathBuffer().
@nodejs-github-bot nodejs-github-bot added doc Issues and PRs related to the documentations. url Issues and PRs related to the legacy built-in url module. labels Nov 28, 2025
@RafaelGSS RafaelGSS added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue Add this label to land a pull request using GitHub Actions. labels Nov 29, 2025
mcollina
mcollina approved these changes Nov 29, 2025
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollina mcollina mcollina approved these changes

@lpinca lpinca lpinca approved these changes

@cjihrig cjihrig cjihrig approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue Add this label to land a pull request using GitHub Actions. doc Issues and PRs related to the documentations. url Issues and PRs related to the legacy built-in url module.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@RafaelGSS @mcollina @lpinca @cjihrig @marco-ippolito @nodejs-github-bot