From 9ec1ad46c663bd0358f6587c4ca3e7dc38f4a82b Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 18:43:57 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 demo/server.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/demo/server.js b/demo/server.js
index 8bc7ce0..abe2909 100644
--- a/demo/server.js
+++ b/demo/server.js
@@ -5,6 +5,11 @@ http = require('http');
 const SERVER_PORT = 8899;
 
 http.createServer(function (req, res) {
+    if (path.normalize(decodeURI(req.url)) !== decodeURI(req.url)) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
     let filename = path.join(__dirname, req.url);
     if (req.url != '/index.html') {
         filename = path.join(__dirname, '../', req.url)