From fcb17a6ced01f40ee5a53d2f817bfe7f10fcf9d0 Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 18:50:04 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 MiaoZ/node/static-resourc-server/main.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/MiaoZ/node/static-resourc-server/main.js b/MiaoZ/node/static-resourc-server/main.js
index acabbf4..a47c153 100644
--- a/MiaoZ/node/static-resourc-server/main.js
+++ b/MiaoZ/node/static-resourc-server/main.js
@@ -4,6 +4,12 @@ const path = require('path')
 
 http.createServer((req, res) => {
   const filePath = path.join(__dirname, req.url)
+    if (path.normalize(decodeURI(req.url)) !== decodeURI(req.url)) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
+
   fs.stat(filePath, (err, stats) => {
     if (err) {
       res.statusCode = 404