From 0454d3fa1c38c40801a046c8f1f8562467809be6 Mon Sep 17 00:00:00 2001
From: DuLinRain <dulinrain@mail.hfut.edu.cn>
Date: Fri, 29 Jan 2021 12:27:05 +0800
Subject: [PATCH] fix: add a defence for Path Traversal

like thgh/rollup-plugin-serve (https://github.com/thgh/rollup-plugin-serve/blob/master/src/index.js#L36),  add a defence for Path Traversal, accordding to https://snyk.io/vuln/SNYK-JS-ROLLUPPLUGINSERVER-590123
---
 src/index.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/index.js b/src/index.js
index 6a90dc4..022be29 100644
--- a/src/index.js
+++ b/src/index.js
@@ -1,7 +1,7 @@
 import {readFile} from 'fs'
 import http from 'http'
 import https from 'https'
-import {resolve} from 'path'
+import {resolve, posix} from 'path'
 
 import mime from 'mime'
 import opener from 'opener'
@@ -84,7 +84,10 @@ export default function server(options = {contentBase: ''}) {
     });
 
     // Remove querystring
-    const urlPath = decodeURI(request.url.split('?')[0])
+    const unsafePath = decodeURI(request.url.split('?')[0])
+    
+    // Don't allow path traversal
+    const urlPath = posix.normalize(unsafePath)
 
     readFileFromContentBase(options.contentBase, urlPath, function (error, content, filePath) {