I'm using koa-send in my Koa server and I have the problem that I get Malicious Path from resolve-path when the request path is something along the lines of http://localhost:3000//some/path/image.jpg.

Would it be a bad idea to path.normalize the path in koa-send before processing it further? This could for instance be done here https://github.com/koajs/send/blob/master/index.js#L46 before doing substring on the path.

I'm on Windows and I get the same error with all requests because resolve-path thinks they are absolute paths. That is because the path always starts with a slash. I assume this line is supposed to remove the leading slash, but on Windows path.parse returns '' for root for paths that start with a slash. Therefore the path will have a leading slash when it's passed to resolve-path.

but on Windows path.parse returns '' for root for paths that start with a slash

test with node@4 on win10(VM)

path.parse('/a/b')

{root: '/', ...}

@Pumpuli I think your problem is koajs/static#77 ?

I think your problem is koajs/static#77 ?

Yep, seems to be a Node issue, works on Node 5.6.0.

@coderhaoxin
In Node 5.7.0

path.parse("/a/b")

returns

{ root: '', dir: '/a', base: 'b', ext: '', name: 'b' }

I suggest use path.posix.parse instead of path.parse.

@zbinlin I saw your PR to node, 5.7.1 will fix this. right?

@coderhaoxin right, but I also suggest that use path.posix.parse instead of path.parse in koa-send.

I also suggest that use path.posix.parse instead of path.parse in koa-send.

@zbinlin why so? shouldn't we use path#parse and let Node determine how to resolve the path dependent on the environment.

@tejasmanohar I think the path is usually unix path(or url path), so we can only remove first forward slash of the path use path.posix.parse;

Yeah, I think the point is that path#parse is for parsing filesystem paths, but in this case we're parsing the path part of a URL.