Node.js third-party modules: Path Traversal on Resolve-Path

The author of resolve-path told me that I can submit this to here. The vulnerability already reported to the author and got a fixed!

Module

module name: resolve-pathversion:1.3.3npm page: https://www.npmjs.com/package/resolve-path

Description

Resolve a relative path against a root path with validation.

This module would protect against commons attacks like GET /…/file.js which reaches outside the root folder.

Module Stats

Stats
[8264] downloads in the last day
[48226] downloads in the last week
[210556] downloads in the last month

~[2526672] estimated downloads per year

Description

The library failed to process path like C:../../ on Windows

Steps To Reproduce:

require('resolve-path')("C:/windows/temp/", "C:../../")

Supporting Material/References:

• Windows 10
• Node v8.9.4
• NPM 5.6.0

Wrap up

• [Y] I contacted the maintainer to let him know
• [N] I opened an issue in the related repository

Impact

This is a high-dependency library, for example: KoaJS is suffered from this vulnerability

[21086] downloads in the last day
[113573] downloads in the last week
[462543] downloads in the last month
~[5550516] estimated downloads per year