Unexpected path traversal vulnerability

[rcowsill]

Looking at NodeGoat's results on LGTM.com, alongside the expected vulnerabilities there are some more alerts. Most are minor issues, but one is for this unexpected vulnerability:

https://lgtm.com/projects/g/OWASP/NodeGoat?mode=list&tag=external%2Fcwe%2Fcwe-022

The /tutorial/:page route passes the user-controlled page parameter directly to res.render, which is warned against in the express documentation:

(http://expressjs.com/en/4x/api.html#res.render) NOTE: The view argument performs file system operations like reading a file from disk and evaluating Node.js modules, and as so for security reasons should not contain input from the end-user.

For example, requesting /tutorial/layout renders the header and sidebar with no content. That's not too bad, but it's also possible to use relative paths to return any ".html" file on the server. An attacker could also trick express into trying to load any installed node module as a view engine.