From 4e13f77bc6c71c9a86211b5f023cee3e42423bde Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 17:01:18 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 server.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server.js b/server.js
index eab79a5..dd2450a 100644
--- a/server.js
+++ b/server.js
@@ -35,6 +35,11 @@ const serveFile = async (filePath, contentType, response) => {
 }
 
 const server = http.createServer((req, res) => {
+    if (path.normalize(decodeURI(req.url)) !== decodeURI(req.url)) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
     console.log(req.url, req.method);
     myEmitter.emit('log', `${req.url}\t${req.method}`, 'reqLog.txt');