From fce10f5bfa19ada9a246afd30ec75bfa1c7556b3 Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 18:40:44 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 src/server.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/server.js b/src/server.js
index e2445c6..5910753 100644
--- a/src/server.js
+++ b/src/server.js
@@ -72,6 +72,11 @@ function runServer () {
   }
 
   const server = http.createServer((req, res) => {
+    if (path.normalize(decodeURI(req.url)) !== decodeURI(req.url)) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
     const parseURL = url.parse(req.url)
     let pathname = parseURL.pathname
     if (/\/$/.test(pathname)) {