examples: fix path traversal in downloads example

closes #4120

examples/downloads/index.js

@@ -6,8 +6,13 @@
 
 var express = require('../../');
 var path = require('path');
+var resolvePath = require('resolve-path')
+
 var app = module.exports = express();
 
+// path to where the files are stored on disk
+var FILES_DIR = path.join(__dirname, 'files')
+
 app.get('/', function(req, res){
   res.send('<ul>' +
     '<li>Download <a href="/files/notes/groceries.txt">notes/groceries.txt</a>.</li>' +
@@ -20,7 +25,7 @@ app.get('/', function(req, res){
 // /files/* is accessed via req.params[0]
 // but here we name it :file
 app.get('/files/:file(*)', function(req, res, next){
-  var filePath = path.join(__dirname, 'files', req.params.file);
+  var filePath = resolvePath(FILES_DIR, req.params.file)
 
   res.download(filePath, function (err) {
     if (!err) return; // file sent

package.json

@@ -75,6 +75,7 @@
     "multiparty": "4.2.2",
     "nyc": "15.1.0",
     "pbkdf2-password": "1.2.1",
+    "resolve-path": "1.4.0",
     "should": "13.2.3",
     "supertest": "6.2.2",
     "vhost": "~3.0.2"

test/acceptance/downloads.js

@@ -36,4 +36,12 @@ describe('downloads', function(){
       .expect(404, done)
     })
   })
+
+  describe('GET /files/../index.js', function () {
+    it('should respond with 403', function (done) {
+      request(app)
+        .get('/files/../index.js')
+        .expect(403, done)
+    })
+  })
 })