From 479f09c702b5ac3a711dd8e2f9da6cf67fc6609c Mon Sep 17 00:00:00 2001
From: Denis Safronenkov <dsafronenkov@axcient.com>
Date: Fri, 23 Jul 2021 22:02:40 +0300
Subject: [PATCH 1/2] fix directory traversal issue

---
 packages/server/src/httpServer.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/server/src/httpServer.js b/packages/server/src/httpServer.js
index e777e73..7920a62 100644
--- a/packages/server/src/httpServer.js
+++ b/packages/server/src/httpServer.js
@@ -242,7 +242,7 @@ class HttpServer {
     }
     let filePath = path.join(this.webFolderPath, uri);
     fs.exists(filePath, exists => {
-      if (!exists) {
+      if (!exists || filePath.indexOf(this.webFolderPath) !== 0) {
         response.writeHead(404);
         response.write("Not found");
         response.end();

From 1c1d6ce3fa3c5dbc36fde2394bb9812fc82c62b0 Mon Sep 17 00:00:00 2001
From: Denis Safronenkov <dsafronenkov@axcient.com>
Date: Mon, 29 Nov 2021 20:23:34 +0300
Subject: [PATCH 2/2] add Content-Security-Policy headers

---
 packages/server/src/gzip.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/server/src/gzip.js b/packages/server/src/gzip.js
index 1e15cf2..f684738 100644
--- a/packages/server/src/gzip.js
+++ b/packages/server/src/gzip.js
@@ -22,7 +22,8 @@ function gzip(request, response) {
     writeHead.call(response, myStatusCode, {
       ...myHeaders,
       "Content-Encoding": "gzip",
-      "Content-Length": compressedBuffer.length
+      "Content-Length": compressedBuffer.length,
+      "Content-Security-Policy": "default-src 'self'; img-src 'self' data:"
     });
     write.call(response, compressedBuffer, dataType);
     end.call(response);