GuardAPI Logo
GuardAPI
GuardAPI Logo GuardAPI
System Status
Operational

Fix Improper Assets Management in AdonisJS

Improper Asset Management in AdonisJS occurs when static middleware is overly permissive or when the Drive disk exposes sensitive internal paths. Attackers leverage these misconfigurations to perform path traversal, exfiltrate .env files, or access private user data. Secure asset management requires strict whitelisting, path sanitization, and identity-based scoping.

The Vulnerable Pattern

// start/routes.ts
import Drive from '@adonisjs/core/services/drive'

// VULNERABLE: Wildcard allows arbitrary file access via path traversal
Route.get(‘/storage/:path*’, async ({ params, response }) => {
const stream = await Drive.getStream(params.path)
return response.stream(stream)
})


// config/static.ts
export const staticConfig = {
enabled: true,
match: [’/**’] // VULNERABLE: Exposes all files in the public directory indiscriminately
}

The Secure Implementation

The vulnerability stems from using wildcard parameters in routes that interact with the file system and overly broad static file matching. The fix implements three defensive layers: 1. Path Sanitization: Disallowing '..' and path separators prevents attackers from escaping the intended directory. 2. Identity Scoping: Prepending the authenticated user's ID to the file path ensures users cannot access other people's assets (fixing IDOR). 3. Explicit Whitelisting: Hardening config/static.ts to only match specific subdirectories prevents the leakage of sensitive build artifacts or hidden system files located in the public root.

// start/routes.ts
import Drive from '@adonisjs/core/services/drive'
import { sep } from 'path'

Route.get(‘/storage/:filename’, async ({ params, response, auth }) => {
const user = await auth.authenticate()
const fileName = params.filename


// SECURE: Block traversal sequences and path separators
if (fileName.includes(’..’) || fileName.includes(sep)) {
return response.badRequest(‘Invalid filename format’)
}


// SECURE: Enforce ownership and scoped directory access
const securePath = users/${user.id}/uploads/${fileName}


if (!(await Drive.exists(securePath))) {
return response.notFound(‘Asset not found’)
}


return response.stream(await Drive.getStream(securePath))
}).use(middleware.auth())


// config/static.ts
export const staticConfig = {
enabled: true,
// SECURE: Only serve specific, non-sensitive asset types
match: [‘/assets/(js|css|images|fonts)/**’]
}

Protect your AdonisJS API

Don't rely on manual checks. GuardAPI's Gemini 3 Pro engine detects Improper Assets Management and logic flaws in seconds.

Run Automated Audit

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X