Node.js REST API - URI Sanitizing?

Question

I would like to require pages in my Node.js server based on the requested URI.

However I concern that this could be a severe security issue since user can inject some malicous chars into the url, something like ../../ and reach to my root server point and reveal all of the code.

So just like throwing a bottle of water to a big fire, I have eliminated the option to send . to the request.

This is not a silverbullet, probably :)

Maybe is there some standard/best practice/guide or keypoints about URI sanitizing in REST API based on Node.js?

Edit - here the code uses the require

// app.js
app.use(require('./services/router')(app));


// router.js middleware 
function router(app) {
  return function(req, res, next) {

    try {
      // checking for . in the url
      if (req.url.indexOf(".")!=-1) cast.badRequest();
      // req.url.split('/')[2] should be customers, users or anything else
      require('../../resources/' + req.url.split('/')[2] + '/' + req.url.split('/')[2] + '-router')(app);
      next();
    } catch(err) { cast.notFound(); }

  }
}

module.exports = router;

// rides-router.js (this could be users-router.js or customers-router.js)
module.exports = function(app) {

  // GET ride - select a ride
  app.get("/v1/rides/:id", dep.verifyToken(), require('./api/v1-get-ride'));

  // POST ride - insert a new ride
  app.post("/v1/rides", dep.verifyToken(), require('./api/v1-set-ride'));

  app.use((req, res, next) => {
    cast.notFound();
  });

}

Answer 1

You asked how to do it safer. My recommendation is that you put all the resources in an array and run all the app.use() statements with one loop that pulls the resource names from the array at server startup.

I don't like running synchronous require() during a request and I don't like loading code based on user specified characters. Both are avoided with my recommendation.

// add routes for all resources
const resourceList = ['rides', 'products', ...];

for (let r of resourceList) {
    app.use(`/${r}`, require(`./resources/${r}/${r}-router`));
}

This seems like less code and 100% safe and no running of synchronous require() during a request.

Advantages:

1. Fully whitelisted.
2. No user input involved in selecting code to run.
3. No synchronous require() during request processing.
4. All routes installed at server initialization time.
5. Any errors in route loading (like a missing route file) occur at server startup, not during a user request.