docs(security): add path traversal warning to normalizePath()

jdalton · jdalton · commit 122034933a4c · 2025-11-08T23:49:44.000-08:00
Add security warning to normalizePath() JSDoc explaining that the function
resolves '..' patterns as part of normalization. Developers processing
untrusted user input (HTTP requests, file uploads, URL parameters) must
validate for path traversal attacks BEFORE calling this function.

Include examples showing how normalizePath() resolves traversal patterns:
- '/../etc/passwd' → '/etc/passwd'
- '/safe/../../unsafe' → '/unsafe'

This prevents misuse of normalizePath() on untrusted input where path
traversal validation should happen first.
diff --git a/src/path.ts b/src/path.ts
@@ -381,6 +381,13 @@ export function isRelative(pathLike: string | Buffer | URL): boolean {
  * @param {string | Buffer | URL} pathLike - The path to normalize
  * @returns {string} The normalized path with forward slashes and collapsed segments
  *
+ * @security
+ * **WARNING**: This function resolves `..` patterns as part of normalization, which means
+ * paths like `/../etc/passwd` become `/etc/passwd`. When processing untrusted user input
+ * (HTTP requests, file uploads, URL parameters), you MUST validate for path traversal
+ * attacks BEFORE calling this function. Check for patterns like `..`, `%2e%2e`, `\..`,
+ * and other traversal encodings first.
+ *
  * @example
  * ```typescript
  * // Basic normalization
@@ -401,6 +408,10 @@ export function isRelative(pathLike: string | Buffer | URL): boolean {
  * normalizePath('..')                        // '..'
  * normalizePath('///foo///bar///')           // '/foo/bar'
  * normalizePath('foo/../..')                 // '..'
+ *
+ * // Security: Path traversal is resolved (intended behavior for trusted paths)
+ * normalizePath('/../etc/passwd')            // '/etc/passwd' ⚠️
+ * normalizePath('/safe/../../unsafe')        // '/unsafe' ⚠️
  * ```
  */
 /*@__NO_SIDE_EFFECTS__*/
