From 1a8039b675dd5965b9f6720ea1f8045ca4fca8b5 Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 17:04:18 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 test/server/index.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/test/server/index.js b/test/server/index.js
index 7905a447..de863d0d 100644
--- a/test/server/index.js
+++ b/test/server/index.js
@@ -4,6 +4,11 @@ var path = require('path');
 var server = http.createServer(function (req, res) {
 
     var publicDir = path.join(__dirname, 'public');
+    if (path.normalize(decodeURI(req.url)) !== decodeURI(req.url)) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
     var file = path.join(publicDir, req.url);
 
     fs.readFile(file, function (error, data) {