HIGH zip slipexpressapi keys

Zip Slip in Express with Api Keys

Scan for zip slip in express

Zip Slip in Express with Api Keys — how this specific combination creates or exposes the vulnerability

Zip Slip is a path traversal vulnerability that occurs when an application constructs file paths using user-supplied input without proper validation. In an Express API that relies on Api Keys for access control, the presence of Api Keys does not inherently protect against Zip Slip; if endpoints that serve files or extract archives do not sanitize paths, an authenticated caller with a valid Api Key can traverse directories and overwrite or read arbitrary files. For example, an endpoint like /download/:filename that uses the Api Key to identify the caller but then concatenates filename directly into a filesystem path can be exploited with inputs such as ../../../etc/passwd. The Api Key ensures the request is authorized in the application's view, but the server-side path resolution still leads to directory traversal, exposing sensitive system files.

When OpenAPI specs define parameters for file operations, developers might assume that schema validation prevents traversal, but path traversal patterns are often not caught by basic type or format validation. MiddleBrick’s checks for BFLA/Privilege Escalation and Input Validation would flag this as a high-severity finding because the API permits unsafe path resolution even when authentication via Api Keys passes. This combination is particularly risky in microservice architectures where services use bearer Api Keys and shared storage; a compromised service or a malicious insider with a valid key can leverage Zip Slip to reach files outside the intended directory tree.

Real-world exploit patterns mirror CVE-2020-15366-like scenarios where archive extraction does not enforce strict path canonicalization. If an Express endpoint accepts an uploaded ZIP and extracts it without verifying that extracted paths remain within a designated directory, an attacker can supply a crafted archive containing paths like ../../../../sensitive/file.txt. Even with Api Keys enforced at the gateway, the extraction logic must independently ensure safe path resolution. MiddleBrick’s checks for Property Authorization and Unsafe Consumption highlight these gaps by correlating authentication context with runtime path behavior, ensuring that authorization does not inadvertently imply safe file system access.

Api Keys-Specific Remediation in Express — concrete code fixes

To remediate Zip Slip in Express when using Api Keys, focus on secure path handling regardless of authentication correctness. Always resolve and validate file paths on the server side using canonical absolute paths and a strict allowlist of permitted directories. Do not trust user input for filenames or archive entries.

const express = require('express');
const path = require('path');
const fs = require('fs');

const app = express();
const ALLOWED_DIRECTORY = path.resolve(__dirname, 'uploads');

function validateFilePath(userPath) {
  const resolved = path.resolve(ALLOWED_DIRECTORY, userPath);
  if (!resolved.startsWith(ALLOWED_DIRECTORY)) {
    throw new Error('Invalid path');
  }
  return resolved;
}

app.get('/download/:filename', (req, res) => {
  // Assume Api Key validation middleware has already run and attached req.apiKey
  const filename = req.params.filename;
  try {
    const filePath = validateFilePath(filename);
    if (!fs.existsSync(filePath) || !fs.statSync(filePath).isFile()) {
      return res.status(404).send('Not found');
    }
    res.sendFile(filePath);
  } catch (err) {
    return res.status(400).send('Bad request');
  }
});

module.exports = app;

In this example, the Api Key authentication is handled separately (e.g., via middleware that verifies req.headers['x-api-key']), but path validation is independent and ensures that no traversal is possible. The validateFilePath function canonicalizes the user-supplied filename and confirms it remains within ALLOWED_DIRECTORY. This approach aligns with remediation guidance from MiddleBrick’s findings for BFLA/Privilege Escalation and Input Validation checks, which emphasize isolating authentication from file system operations.

When integrating MiddleBrick into your workflow, use the CLI to scan endpoints and verify fixes: middlebrick scan https://api.example.com. The CLI outputs structured findings that can inform CI/CD gates in the Pro plan, where continuous monitoring flags regressions in path handling. For teams using the GitHub Action, failing builds on risk score drops ensures that path validation issues like Zip Slip are caught before deployment. The MCP Server further enables on-the-fly scanning from AI coding assistants, reinforcing secure coding practices during development.

Scan for zip slip in express Free API security scan

Frequently Asked Questions

Does using Api Keys prevent Zip Slip in Express APIs?
No. Api Keys handle authentication and authorization but do not prevent path traversal. Zip Slip depends on how file paths are resolved; unsafe concatenation of user input into filesystem paths can still lead to traversal regardless of Api Key presence.
What specific remediation steps should Express developers take to address Zip Slip alongside Api Key usage?
Validate and sanitize all user-supplied path components, resolve file paths to absolute canonical forms, enforce strict allowlists for base directories, and perform these checks independently of authentication. Use middleware for Api Key validation and separate, robust path validation logic to ensure authorization does not bypass secure file handling.

Related Pages

Zip Slip in ExpressZip Slip vulnerabilities in Express allow attackers to overwrite files via malicious ZIP uploads. Learn detection and reZip Slip with Api KeysZip Slip in API key systems allows path traversal attacks that overwrite API keys and configuration. Learn detection andZip Slip in Express on AwsUnderstand Zip Slip in Express on AWS with concrete attack scenarios and AWS-specific remediation examples.Zip Slip in Express on FirebaseExplore Zip Slip in Express with Firebase — understand the risk and apply concrete path validation and Firebase-specificZip Slip in Express on Fly IoUnderstand Zip Slip in Express on Fly Io, with concrete remediation code examples and Fly Io configuration guidance.Zip Slip in Express on DigitaloceanLearn how Zip Slip affects Express on Digitalocean and apply concrete path validation fixes in Node.js with code examplePci Dss: Zip Slip in ExpressExplore how Zip Slip impacts PCI-DSS in Express apps and apply concrete Express code fixes to prevent path traversal in Soc2: Zip Slip in ExpressExplore Zip Slip in Express APIs, understand SOC 2 implications, and apply concrete Express remediation with code examplIso 27001: Zip Slip in ExpressExplore Zip Slip in Express through ISO 27001 controls, with secure extraction code and remediation guidance.Cis: Zip Slip in ExpressCis in Zip Slip with Express: understand the path traversal risk and apply concrete Express-specific fixes with secure cZip Slip in Express with DynamodbExplore Zip Slip in Express with DynamoDB: understand the vulnerability chain and apply concrete code fixes using safe pZip Slip in Express with CockroachdbExplore Zip Slip in Express with Cockroachdb, understand path traversal risks, and apply concrete remediation with code