HIGH zip slipfeathersjsfirestore

Zip Slip in Feathersjs with Firestore

Scan for zip slip in feathersjs

Zip Slip in Feathersjs with Firestore — how this specific combination creates or exposes the vulnerability

Zip Slip is a path traversal vulnerability that occurs when a server extracts or constructs file paths using user-supplied input without proper validation. In a Feathersjs application that uses Google Cloud Firestore, the risk arises when file-related operations (for example, serving user uploads or importing data) build destination paths by concatenating a base directory with a filename provided by the client. If the filename contains sequences like ../, an attacker can traverse outside the intended directory and overwrite arbitrary files on the host filesystem. This becomes particularly dangerous when the Feathersjs service runs with elevated permissions or when the runtime environment exposes sensitive files.

Even though Firestore itself is a managed NoSQL database and does not directly handle filesystem paths, the vulnerability manifests in the application layer. Feathersjs services often combine Firestore for metadata storage with local or cloud storage for files. If the service uses user-controlled input to name files or directories—such as storing uploaded images or export files—and then resolves those paths insecurely, an attacker can manipulate the path traversal to escape the intended sandbox. For instance, a malicious filename like ../../../etc/passwd could be appended to a base path, causing the server to write or read outside the allowed directory. The Feathersjs hook architecture may inadvertently pass unchecked file paths to filesystem utilities, enabling the exploit chain.

An attacker might also leverage insecure default configurations or missing input sanitization in Feathersjs hooks that interact with storage plugins. If the service validates data against Firestore schemas but does not enforce strict path canonicalization before writing files, the Zip Slip vector remains open. The presence of Firestore does not prevent filesystem traversal; it only shifts the focus to how the application bridges database records with file system operations. Therefore, developers must treat file paths as untrusted input, regardless of the database used.

Firestore-Specific Remediation in Feathersjs — concrete code fixes

To mitigate Zip Slip in a Feathersjs application that uses Firestore, you must validate and sanitize any user-controlled input used in file paths before interacting with the filesystem. Always resolve paths using secure utilities that prevent directory traversal, and store only safe, canonical paths in Firestore documents.

Secure path resolution and canonicalization

Use Node.js path.resolve() and path.normalize() to construct absolute paths, and ensure the resulting path remains within the intended directory by prefix-checking against a base directory. Avoid simple string concatenation.

import path from 'path';

const baseDir = '/safe/upload/dir';
function getSafePath(userInput) {
  const normalized = path.normalize(userInput).replace(/^(\/|\.\.)/, '');
  const target = path.resolve(baseDir, normalized);
  if (!target.startsWith(path.resolve(baseDir))) {
    throw new Error('Invalid path: traversal attempt detected');
  }
  return target;
}

// Example usage in a Feathersjs hook
export default function () {
  return async context => {
    const { filename } = context.data;
    const safePath = getSafePath(filename);
    // Proceed with file operations using safePath
    return context;
  };
}

Firestore metadata with safe file references

Store only validated, relative paths or identifiers in Firestore, and keep filesystem-specific logic isolated in service hooks. This ensures that even if metadata is compromised, the attacker cannot directly manipulate filesystem paths.

import { Application } from '@feathersjs/feathers';
import { FirestoreService } from 'feathers-firebase-admin';
import { getFirestore } from 'firebase-admin/firestore';

const app: Application = {} as Application;
app.configure(new FirestoreService({
  name: 'documents',
  paginate: { default: 10, max: 50 },
  getFirestore: () => getFirestore()
}));

// In a custom hook, map a safe filename to a Firestore document
app.service('documents').hooks({
  before: {
    async create(context) {
      const safeName = context.data.name.replace(/[^a-zA-Z0-9._-]/g, '_');
      // Store only safe names; avoid embedding directory paths in Firestore
      context.data.name = safeName;
      return context;
    }
  }
});

Validation libraries and allowlists

Use a validation library to enforce strict filename patterns and reject any input containing path traversal sequences. An allowlist approach is more robust than a blocklist.

import { validate } from 'validate-naming';
// Assume validate allows only alphanumeric, dash, underscore, and dot without slashes
if (!validate(filename)) {
  throw new Error('Invalid filename format');
}

Least-privilege execution

Run the Feathersjs service with minimal filesystem permissions so that even if traversal occurs, the impact is limited. Avoid running as root and use dedicated service accounts with access only to required directories.

Scan for zip slip in feathersjs Free API security scan

Frequently Asked Questions

Does Firestore prevent Zip Slip on its own?
No. Firestore is a managed database and does not enforce filesystem path rules. Zip Slip protection must be implemented in the Feathersjs application logic that handles file paths.
Can middleBrick detect Zip Slip risks in Feathersjs + Firestore setups?
middleBrick scans unauthenticated attack surfaces and can identify insecure file handling patterns that may lead to path traversal, including misconfigurations in Feathersjs services that interact with storage, though it does not fix the issue.

Related Pages

Zip Slip in FeathersjsLearn how Zip Slip directory traversal attacks affect Feathersjs applications, how to detect them with middleBrick, and Zip Slip in FirestoreLearn how Zip Slip vulnerabilities manifest in Firestore applications, how to detect them with specialized scanning, andZip Slip in Feathersjs on CloudflareZip Slip in Feathersjs with Cloudflare: path traversal risks and remediation with code examples for safe path resolutionZip Slip in Feathersjs on AzureUnderstand Zip Slip in Feathersjs on Azure and apply concrete fixes with code examples. Use middleBrick CLI and GitHub APci Dss: Zip Slip in FeathersjsExplore Zip Slip in Feathersjs, PCI DSS implications, and concrete secure extraction patterns to prevent path traversal Soc2: Zip Slip in FeathersjsExplore how Zip Slip affects FeathersJS APIs, SOC 2 implications, and concrete remediation examples with code.Iso 27001: Zip Slip in FeathersjsExplore Zip Slip in FeathersJS under ISO 27001, understand the risk, and apply concrete FeathersJS code fixes with path Cis: Zip Slip in FeathersjsExplore Zip Slip risks in FeathersJS, understand CIS mappings, and apply concrete path sanitization fixes with code examZip Slip in Feathersjs with Jwt TokensZip Slip in Feathersjs with Jwt Tokens: path traversal risks and remediation with secure path resolution and input validZip Slip in Feathersjs with Api KeysUnderstand Zip Slip in FeathersJS with API keys and apply secure path handling and API key–based scoping with concrete cZip Slip in Feathersjs with Hmac SignaturesZip Slip in Feathersjs with Hmac Signatures: understanding the risk and implementing secure path validation and Hmac verZip Slip in Feathersjs with Basic AuthExplore Zip Slip in Feathersjs with Basic Auth: understand the risk and apply concrete path validation fixes with code e