Path Traversal in Restify with Mutual Tls
Path Traversal in Restify with Mutual Tls — how this specific combination creates or exposes the vulnerability
Path Traversal occurs when an API endpoint uses unsanitized user input to build file system paths, allowing an attacker to escape the intended directory. In Restify, this typically manifests through endpoints that accept a filename or path parameter and directly concatenate it with a base directory. When Mutual Tls (mTLS) is enforced, the server validates client certificates, which can create a false sense of security. Operators may assume that because authentication is strong, input validation is less critical. However, mTLS ensures the identity of the caller but does not constrain what that authenticated caller is allowed to access on the filesystem.
Consider a Restify service that uses mTLS and exposes an endpoint to retrieve user documents. The code might look like:
const fs = require('fs');
const path = require('path');
const restify = require('restify');
const server = restify.createServer({
tls: {
cert: 'server-cert.pem',
key: 'server-key.pem',
ca: 'ca-cert.pem',
requestCert: true,
rejectUnauthorized: true
}
});
server.get('/documents/:filename', (req, res, next) => {
const baseDir = '/var/data/documents';
const filename = req.params.filename;
const filePath = path.join(baseDir, filename);
fs.readFile(filePath, (err, data) => {
if (err) {
return next(new restify.NotFoundError('File not found'));
}
res.send(data);
return next();
});
});
server.listen(8080, () => console.log('Listening'));Even with mTLS ensuring only authorized clients can connect, an authenticated client can supply ../../../etc/passwd as filename. The path.join call will resolve to /var/data/documents/../../../etc/passwd, which normalizes to /etc/passwd, resulting in unauthorized data exposure. This is a classic Path Traversal (CWE-22). The combination of mTLS and Path Traversal is particularly dangerous because the security boundary is misperceived: mTLS handles transport and identity, but does not sanitize path construction.
During a middleBrick scan, such an endpoint would trigger findings in the Path Traversal category and likely also in Data Exposure, with remediation guidance to validate and restrict file paths. The scanner checks whether user-controlled input is properly sanitized before being used in filesystem operations, regardless of the authentication mechanism in place.
Mutual Tls-Specific Remediation in Restify — concrete code fixes
To remediate Path Traversal in Restify while using mTLS, focus on strict input validation and safe path resolution. The key is to never trust user-supplied path components. Use a whitelist of allowed filenames or map logical names to physical paths. Always resolve the final path and ensure it remains within the intended base directory.
Here is a secure Restify implementation with mTLS:
const fs = require('fs');
const path = require('path');
const restify = require('restify');
const allowedDocuments = new Set(['report.pdf', 'invoice.pdf', 'terms.txt']);
const server = restify.createServer({
tls: {
cert: 'server-cert.pem',
key: 'server-key.pem',
ca: 'ca-cert.pem',
requestCert: true,
rejectUnauthorized: true
}
});
server.get('/documents/:filename', (req, res, next) => {
const filename = req.params.filename;
// Whitelist validation
if (!allowedDocuments.has(filename)) {
return next(new restify.ForbiddenError('Access denied'));
}
const baseDir = '/var/data/documents';
const safePath = path.resolve(baseDir, filename);
// Ensure the resolved path is still within baseDir
if (!safePath.startsWith(path.resolve(baseDir) + path.sep)) {
return next(new restify.ForbiddenError('Invalid path'));
}
fs.readFile(safePath, (err, data) => {
if (err) {
return next(new restify.NotFoundError('File not found'));
}
res.setHeader('Content-Type', 'application/octet-stream');
res.send(data);
return next();
});
});
server.listen(8080, () => console.log('Listening'));This approach eliminates Path Traversal by:
- Using a whitelist (
allowedDocuments) to restrict which filenames are accepted. - Calling
path.resolveto eliminate any..sequences before path comparison. - Verifying that the resolved path starts with the expected base directory, preventing directory escape even if the filename contains encoded slashes or null bytes.
For broader protection across your API surface, consider using the middleBrick CLI to scan your endpoints: middlebrick scan <url>. The tool will identify Path Traversal risks and map them to frameworks like OWASP API Top 10. If you need continuous monitoring, the Pro plan provides scheduled scans and alerts, helping you catch regressions before they reach production.
Related CWEs: inputValidation
| CWE ID | Name | Severity |
|---|---|---|
| CWE-20 | Improper Input Validation | HIGH |
| CWE-22 | Path Traversal | HIGH |
| CWE-74 | Injection | CRITICAL |
| CWE-77 | Command Injection | CRITICAL |
| CWE-78 | OS Command Injection | CRITICAL |
| CWE-79 | Cross-site Scripting (XSS) | HIGH |
| CWE-89 | SQL Injection | CRITICAL |
| CWE-90 | LDAP Injection | HIGH |
| CWE-91 | XML Injection | HIGH |
| CWE-94 | Code Injection | CRITICAL |
Frequently Asked Questions
Does mTLS alone prevent Path Traversal vulnerabilities in Restify APIs?
How can I test my Restify endpoints for Path Traversal without a pentest?
middlebrick scan https://api.example.com. It will attempt path traversal patterns and report findings with remediation guidance, helping you identify unsafe path construction without requiring manual test cases.