If path is not normalized before being passed, and coming from a user, anyone can read any files on the host machine. E.g.

const flydrive = new LocalFileSystem({root: '/var/www/app/images'});

app.get('/image', async (req, res) => {
    res.send(await flydrive.getBuffer(req.query.path));
}

Then requesting http://example.com/thumbnail?path=/etc/passwd or http://example.com/thumbnail?path=../../../../etc/passwd will return contents of /etc/passwd

LocalFileSystem should treat all paths as relative, and perform normalization before joining root path to file path.

Hey @OJezu! 👋

After discussion with @targos we may want to do something like here or doing like the following:

var filename = filenameFromUser;
var resolved = path.resolve(this.root, filename);
if (!resolved.startsWith(this.root)) throw new Error('out of bounds')

What do you think?

@RomainLanz I already tested this.
path.join(this.$root, path.join('/', filename))
It's in this commit: gamfi@57179e0

And a lot of other things:
https://github.com/gamfi/flydrive/tree/feature/api-cleanup
It's an opinionated rewrite:

• removing features which were implemented by only one storage (append and prepend)
• adding metadata and headers support, but removing getStat
• removing getString as loading files to string is not advised (Buffers have .toString, anyway),
• creating a single test suit ran against all storages (as the tests where using many methods per test anyway),
• dropping japa in favor of jest, as more feature-packed - japa is fast, but cannot even filter tests by name.
• testing against real s3 always.