From e04e0ff672299c77bbb9f7c73f952a0b5cd02a87 Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Fri, 26 Jul 2024 06:43:09 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 src/index.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/index.js b/src/index.js
index 514bf1d..8fa2bf1 100644
--- a/src/index.js
+++ b/src/index.js
@@ -5,6 +5,11 @@ const fs = require('fs');
 const { mathToSvg } = require('@justforfun-click/mathjax/js/mathToSvg');
 
 const listener = (req, res) => {
+    if (Path.normalize(decodeURIComponent(req.url)) !== decodeURIComponent(req.url)) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
     var path = decodeURIComponent(req.url);
     var i = 0;
     for (; i < path.length; ++i) {