From ef59eed195d5e523ae4f8c731f1f522d462da453 Mon Sep 17 00:00:00 2001 From: Jafar Akhondali Date: Tue, 5 Nov 2024 17:51:37 +0100 Subject: [PATCH] Block malicious looking requests to prevent path traversal attacks. --- packages/website/scripts/preview.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/website/scripts/preview.js b/packages/website/scripts/preview.js index 6d6ab1ba1..5936be344 100644 --- a/packages/website/scripts/preview.js +++ b/packages/website/scripts/preview.js @@ -20,6 +20,9 @@ const serverHandle = (req, res) => { } const url = req.url === '/' ? config.indexFile : req.url + if (url.includes('..')) { + res.writeHead(403); res.end('request is blocked'); return; + } const urlInfo = path.parse(url) const filePath = path.join(__dirname, config.baseContent, url)