This utility package is intended to be used for filesystem path validation from any user input (html form for example).
path-validation
does not check the real filesystem structure - checkfs.lstat()
to validate against filesystem.
- provided path is string
- provided path is not empty string
- provided path doesn't have disallowed characters (see list below)
- provided path resolves to absolute path
- provided path match platform specific rules (see list below)
- a) start with slash
- b) does not contain backslash
- c) start with drive letter
- d) does not contain forward slash
- e) contain only one colon (after drive letter)
The list of disallowed characters include restriced characters on Linux & Windows as well as some characters that should be avoided in file naming.
[ (left square bracket)
] (right square bracket)
# (number sign / hash / pound)
% (percent sign)
& (ampersand)
{ (left curly bracket)
} (right curly bracket)
< (less than)
> (greater than)
* (asterisk - part of patterns)
? (question mark)
\s (any whitespace)
\b (backspace)
\0 (null byte)
$ (dollar)
! (exclamation mark)
' (single quote)
: (colon - allowed on Windows to appear once only)
@ (at)
| (vertical bar or pipe)
‘ (backtick)
` (backtick)
“ (double quote)
" (double quote)
+ (plus sign)
^ (caret)
/ (slash - disallowed on Windows only)
\ (backslash - disallowed on Linux only)
Alias to isAbsolutePath(str, '/')
Alias to isAbsolutePath(str, '\\')
- http://www.mtu.edu/umc/services/digital/writing/characters-avoid/
- https://serverfault.com/questions/150740/linux-windows-unix-file-names-which-characters-are-allowed-which-are-unesc
- https://stackoverflow.com/questions/1976007/what-characters-are-forbidden-in-windows-and-linux-directory-names
Pull requests are always welcome. Please review and add your test specs for valid and invalid paths.
- Node.js
path.isAbsolute()
. It seems to be insufficient for input validation since it allows glob patterns and traversal. - NPM package path-is-absolute. Not sufficeint for input validation since the only thing it checks for posix path is if it starts with '/' (slash). Therefore backspace, null byte, patters and traversal are allowed.
Copyright (c) 2018 Adrian Matylewicz Released under the MIT license.