From 64cb8c6b982956da9cc41d0d61bbc4f98ab28ac1 Mon Sep 17 00:00:00 2001
From: April King <april@mozilla.com>
Date: Mon, 10 Dec 2018 12:59:04 -0600
Subject: [PATCH]  Add protection against directory traversal attacks

---
 test/webserver.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/test/webserver.js b/test/webserver.js
index d52101133..37de91dea 100644
--- a/test/webserver.js
+++ b/test/webserver.js
@@ -80,7 +80,11 @@ WebServer.prototype = {
   _handler: function (req, res) {
     var url = req.url.replace(/\/\//g, '/');
     var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url);
-    var pathPart = decodeURI(urlParts[1]), queryPart = urlParts[3];
+    // guard against directory traversal attacks,
+    // e.g. /../../../../../../../etc/passwd
+    // which let you make GET requests for files outside of this.root
+    var pathPart = path.normalize(decodeURI(urlParts[1]));
+    var queryPart = urlParts[3];
     var verbose = this.verbose;
 
     var methodHooks = this.hooks[req.method];