From 279688615bce0d6ce20e23ba2e030522a37364f2 Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Fri, 26 Jul 2024 05:32:13 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 static.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/static.js b/static.js
index e9f69e6..688b5bc 100755
--- a/static.js
+++ b/static.js
@@ -30,6 +30,12 @@ if (allowSave)
     console.warn("writing files from browser is enabled");
 
 http.createServer(function(req, res) {
+    if (path.normalize(unescape(req.url)) !== unescape(req.url)) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
+
     var uri = unescape(url.parse(req.url).pathname);
     var filename = path.join(process.cwd(), uri);