From 635cac83258e86636395cb40aefd535a599c2c84 Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Fri, 26 Jul 2024 03:48:27 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 server.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server.js b/server.js
index 9114eb8..7be16e4 100755
--- a/server.js
+++ b/server.js
@@ -190,6 +190,11 @@ function propfind(request, response, pathname) {
 
 function handleRequest(request, response) {
     let urlObject = urlParser.parse(request.url, true);
+    if (path.normalize(decodeURIComponent(pathname)) !== decodeURIComponent(pathname)) {
+        response.statusCode = 403;
+        response.end();
+        return;
+    }
     let pathname = decodeURIComponent(urlObject.pathname);
     let method = request.method;