From 91def328e55d4a9d3af9d42f67a0837aec258442 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=B6ren?= <hello@soerenschwert.de>
Date: Mon, 16 Sep 2024 09:45:44 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

Co-Authored-By: Jafar Akhondali <jafar.akhoondali@gmail.com>
---
 serve.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/serve.js b/serve.js
index 5ea4d68f1..fb8386b47 100755
--- a/serve.js
+++ b/serve.js
@@ -75,6 +75,11 @@ var http = require("http"),
     };
 
 http.createServer(function(request, response) {
+    if (path.normalize(decodeURI(request.url)) !== decodeURI(request.url)) {
+        response.statusCode = 403;
+        response.end();
+        return;
+    }
 
     var uri = url.parse(request.url).pathname,
         filename = path.join(process.cwd(), uri);