Path Traversal in Loopback with Basic Auth

Path Traversal in a Loopback application protected by Basic Auth can still occur because authentication and path validation are separate concerns. Basic Auth confirms identity but does not enforce safe file-system or route access. When user-controlled input such as query parameters, route parameters, or request headers is used to build file paths or directory traversal sequences (e.g., ../) without strict validation, an authenticated or unauthenticated attacker can escape intended directories.

In a Loopback application, path traversal often arises when the server constructs local file paths from request parameters to serve files or access resources. Even when Basic Auth is enforced via middleware, the authorization boundary is limited to verifying credentials; it does not sanitize or restrict file-system operations. For example, an endpoint like /files that accepts a path query parameter and uses it to read from a base directory can be abused with sequences like ../../etc/passwd. The Basic Auth token may satisfy the authentication check, but the server must still validate that the resolved path remains within the allowed directory. Without canonicalization and strict prefix checks, the application exposes sensitive files or enables unauthorized access across the loopback interface.

During a middleBrick scan, which tests the unauthenticated attack surface by default and also evaluates authenticated surfaces when credentials are provided, such weaknesses are surfaced across multiple checks. Path Traversal is identified alongside the Authentication check when Basic Auth is present but insufficient input validation allows directory escape. The scanner examines input validation controls, resource exposure, and property authorization to determine whether traversal is feasible. This illustrates that proper remediation must focus on secure path resolution and canonicalization rather than relying on transport-layer authentication alone.

To remediate Path Traversal in Loopback with Basic Auth, enforce strict path validation and avoid direct use of user input in file-system operations. Combine Basic Auth with safe path resolution using Node.js built-in utilities and explicit allowlists.

Example of vulnerable code using Basic Auth with unsafe path resolution:

const path = require('path');
const BasicAuth = require('basic-auth');

app.get('/files', (req, res) => {
  const user = BasicAuth(req);
  if (!user || user.name !== 'admin' || user.pass !== 'secret') {
    res.set('WWW-Authenticate', 'Basic realm="example"');
    return res.status(401).send('Authentication required');
  }
  const requested = req.query.name; // e.g., ../../etc/passwd
  const filePath = path.join('/var/data', requested);
  res.sendFile(filePath, (err) => {
    if (err) res.status(500).send('File error');
  });
});

This code authenticates via Basic Auth but does not prevent directory traversal via requested.

Secure remediation with path validation and canonicalization:

const path = require('path');
const BasicAuth = require('basic-auth');

const ALLOWED_FILES = new Set(['report.pdf', 'config.yaml', 'readme.txt']);

app.get('/files', (req, res) => {
  const user = BasicAuth(req);
  if (!user || user.name !== 'admin' || user.pass !== 'secret') {
    res.set('WWW-Authenticate', 'Basic realm="example"');
    return res.status(401).send('Authentication required');
  }

  const requested = req.query.name;
  if (!requested || typeof requested !== 'string' || !ALLOWED_FILES.has(requested)) {
    return res.status(400).send('Invalid file request');
  }

  const baseDir = '/var/data';
  const filePath = path.resolve(baseDir, requested);
  const normalizedBase = path.resolve(baseDir) + path.sep;
  const normalizedFile = path.resolve(filePath) + path.sep;

  if (!normalizedFile.startsWith(normalizedBase)) {
    return res.status(403).send('Access denied');
  }

  res.sendFile(filePath, (err) => {
    if (err) res.status(500).send('File error');
  });
});

Key practices:

• Use an allowlist of permitted filenames rather than raw user input.
• Call path.resolve to eliminate .. sequences and obtain an absolute path.
• Ensure the resolved file path starts with the allowed base directory prefix after canonicalization.
• Return 403 for paths that escape the base directory, even when valid credentials are provided.

These steps ensure that Basic Auth handles identification while path validation and canonicalization handle safe resource access, reducing the risk of Path Traversal in Loopback APIs.