Path Traversal in Adonisjs with Basic Auth

Path Traversal occurs when user-controlled input is used to construct file system paths without adequate validation or sanitization, allowing an attacker to navigate outside the intended directory. In AdonisJS, this commonly surfaces in file-serving routes or controllers that build paths from request parameters, query strings, or route tokens. When Basic Auth is used for route-level access control, it can create a false sense of security: developers may assume authenticated access implies safe, constrained file access, and therefore skip input validation or path normalization. This combination becomes risky when authentication is handled by middleware that only verifies credentials but does not enforce strict path constraints downstream.

Consider an AdonisJS route that serves user-uploaded documents using a filename supplied by the caller:

// routes.ts
Route.get('/documents/:filename', async ({ params, auth }) => {
  if (auth.check()) {
    const base = '/var/app/uploads';
    const filePath = path.join(base, params.filename);
    return await fs.readFile(filePath);
  }
  throw new Exception('Unauthorized', 401, 'E_UNAUTHORIZED');
});

If the developer trusts that Basic Auth protects the endpoint, they might overlook that params.filename can contain sequences like ../../../etc/passwd. The path.join call will normalize the path, but because it processes .. segments, it can escape /var/app/uploads and read arbitrary files. In a black-box scan, middleBrick tests unauthenticated attack surfaces where possible; if the Basic Auth header is omitted or the route is also exposed anonymously, the traversal becomes immediately observable. Even when authentication is required, middleBrick’s LLM/AI Security checks do not apply here, but the scanner’s Input Validation and Property Authorization checks will flag missing path canonicalization and insufficient boundary checks. The presence of Basic Auth alone does not mitigate path traversal; secure path handling must be implemented explicitly.

Framework-specific behaviors can exacerbate the issue. AdonisJS does not inherently restrict path resolution, so it’s the developer’s responsibility to ensure that user input never escapes the intended directory. Attack patterns commonly seen in the wild include repeated directory traversal attempts to reach sensitive system files, configuration files, or logs. The severity is typically high when sensitive files are readable, and the impact depends on what data or functionality the filesystem exposure enables.

To prevent Path Traversal in AdonisJS when using Basic Auth, you must validate and sanitize user input before using it in filesystem operations. Do not rely on authentication middleware to enforce path boundaries. Instead, canonicalize the resolved path and ensure it remains within the allowed directory. Below is a secure pattern that combines Basic Auth with strict path validation:

// routes.ts
import path from 'path';
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext';
import { ensureDir, pathExists, readFile } from 'fs-extra';

Route.get('/documents/:filename', async ({ params, auth, response }: HttpContextContract) => {
  // Require authentication
  if (!auth.check()) {
    return response.unauthorized();
  }

  const allowedBase = path.resolve('/var/app/uploads');
  // Normalize user input by removing path segments and resolving relative parts
  const safeName = params.filename.replace(/^(\.\.[\/\\])+/, '');
  const candidate = path.resolve(allowedBase, safeName);

  // Ensure the resolved path is still within the allowed base
  if (!candidate.startsWith(allowedBase)) {
    return response.badRequest({ error: 'Invalid filename' });
  }

  if (!(await pathExists(candidate))) {
    return response.notFound({ error: 'File not found' });
  }

  const content = await readFile(candidate);
  return response.send(content);
});

Key remediation practices specific to this combination:

• Always resolve paths with path.resolve and confirm the result starts with the expected base directory.
• Strip or reject path traversal sequences (.. or encoded equivalents) before joining paths.
• Do not rely on Basic Auth for path safety; treat authentication and input validation as independent controls.
• Use strict allowlists for filenames or extensions where feasible, avoiding direct filesystem access when possible.

For API security posture tracking, you can use the middleBrick CLI to scan endpoints and confirm that traversal attempts are correctly rejected:

middlebrick scan https://api.example.com/documents/test.txt

Leverage the Web Dashboard or the GitHub Action to integrate these checks into CI/CD, failing builds if insecure path handling is detected in scanned endpoints.