From e009b7408179aa094ab37cda742e6d4631528d47 Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 19:16:50 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 go.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/go.js b/go.js
index 5e2933e..f5b510c 100644
--- a/go.js
+++ b/go.js
@@ -8,6 +8,11 @@ port = process.env.PORT || 5000;
 
 http.createServer(function(request, response) {
   var uri = url.parse(request.url).pathname;
+    if (path.normalize(decodeURIComponent(uri)) !== decodeURIComponent(uri)) {
+        response.statusCode = 403;
+        response.end();
+        return;
+    }
   var filename = path.join(process.cwd(), uri);
 
   switch(uri)