From 772702210a83aa9c9afee3189584c19b70b11b9f Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 19:26:12 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 serveJsdoc.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/serveJsdoc.js b/serveJsdoc.js
index 15238f8c..6fff61e7 100644
--- a/serveJsdoc.js
+++ b/serveJsdoc.js
@@ -4,6 +4,11 @@ var http = require("http"),
     fs = require("fs")
 
 http.createServer(function(request, response) {
+    if (path.normalize(decodeURI(request.url)) !== decodeURI(request.url)) {
+        response.statusCode = 403;
+        response.end();
+        return;
+    }
 
   var uri = url.parse(request.url).pathname
   var filename = path.join(process.cwd(), 'out', uri)