From b7a3c9f1a8be8181f8033a6134bd4db01583634e Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 5 Nov 2024 15:35:41 +0100
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 devserver.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/devserver.js b/devserver.js
index e30388034..223261901 100644
--- a/devserver.js
+++ b/devserver.js
@@ -8,6 +8,11 @@ port = process.argv[2] || process.env['PORT'] || 8080;
 http.createServer(function(request, response) {
 
   var uri = url.parse(request.url).pathname
+  if (uri.includes('..')) {
+    response.writeHead(403);
+    response.end();
+    return;
+  }
   var filename = path.join(process.cwd(), 'build', uri);
 
   fs.exists(filename, function(exists) {