I'm coming from PHP, where you can inject double dots into a URL to try directory traversal. In NodeJS, it seems that you get the Http webserver automatically removes the double dots from the URL.
For example, if you go to http://example.com/static/../app.js, it seems like Node redirects to http://example.com/app.js, which then throws a 404 in my case, because there is no callback for URLs not starting with /static/.
Is it safe to assume that directory traversal via request.url is not possible in a NodeJS HTTP webserver created using the http package?
I was gonna say that you can be sure that it's not possible, then I tried and I have to say that no, it doesn't seem like the http module removes '/../'. The redirection you saw is done in the browser. So whether it's a security risk or not depends on how your static handler is implemented.
Proof of concept:
// Server
var http = require('http');
http.createServer(function (req, res) {
res.writeHead(200, {'Content-Type': 'text/plain'});
res.end(req.url);
}).listen(1337);
Curl it:
curl "http://localhost:1337/static/../app.js"
# /static/../app.js
So if you use a homebuilt static handler that just uses path.resolve() you're screwed. Hopefully popular ones like express.static have thought about this, but i haven't tried it.
Update
Express indeed responds with a 404 "Error: Forbidden".