From ae5afa2346184d0ba91ae18a39fbd7ccb126a1d6 Mon Sep 17 00:00:00 2001
From: Scott George <sgeorge74@gmail.com>
Date: Wed, 24 Dec 2025 11:53:35 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 4: Uncontrolled
 data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 scripts/serve.js | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/scripts/serve.js b/scripts/serve.js
index 2f0ec6b..e919524 100644
--- a/scripts/serve.js
+++ b/scripts/serve.js
@@ -25,8 +25,21 @@ const mimeTypes = {
 
 const server = http.createServer((req, res) => {
   const parsedUrl = url.parse(req.url);
-  const safePath = path.normalize(parsedUrl.pathname || '/').replace(/^\.\.(\/|\\)/, '');
-  let pathname = path.join(rootDir, safePath);
+  // Normalize the requested path and ensure it is relative
+  let safePath = path.normalize(parsedUrl.pathname || '/');
+  // Remove any leading slashes to force a path relative to rootDir
+  safePath = safePath.replace(/^([/\\])+/, '');
+
+  // Resolve the final pathname within rootDir
+  let pathname = path.resolve(rootDir, safePath || 'index.html');
+
+  // Ensure the resolved path is within the root directory
+  const rootWithSep = rootDir.endsWith(path.sep) ? rootDir : rootDir + path.sep;
+  if (pathname !== rootDir && !pathname.startsWith(rootWithSep)) {
+    res.statusCode = 403;
+    res.end('Forbidden');
+    return;
+  }
 
   if (fs.existsSync(pathname) && fs.statSync(pathname).isDirectory()) {
     pathname = path.join(pathname, 'index.html');