Are laravel's routes safeguarding enough against file traversal attacks?

Question

Route::get('/transaction/{name}', 'TransactionController@download');


public function download($name){
    $path = storage_path('app/something/') . $name . '.xml';
    return response()->download($path);
}

The user shall using this action only be able to download .xml files in app/something.

Is it possible to to download data outside of the specified app/something folder.

Answer 1

Laravel doesn't protect against traversal attacks - the router will return any value with your code example, meaning that someone could get access to your filesystem!

You an use PHP's basename() to sanitise $name by removing any path references from the string:

Route::get('/transaction/{name}', 'TransactionController@download');


public function download($name){
    $path = storage_path('app/something/') . basename($name, '.xml') . '.xml';
    return response()->download($path);
}