From 642a20645fbb423cbc06477d966b11b69a63a117 Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 18:07:23 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 05-nodejs-demo/http1.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/05-nodejs-demo/http1.js b/05-nodejs-demo/http1.js
index 4a3ee287..f6a8818d 100644
--- a/05-nodejs-demo/http1.js
+++ b/05-nodejs-demo/http1.js
@@ -22,6 +22,11 @@ const server = http.createServer((request, response) => {
     console.log(`Headers ${JSON.stringify(request.headers)}`);
 
     if (request.method === 'GET') {
+    if (path.normalize(decodeURI(request.url)) !== decodeURI(request.url)) {
+        response.statusCode = 403;
+        response.end();
+        return;
+    }
         // Providing response - read the requested file content from file system
         fs.readFile(path.join(public, pathname.substr(1)), function (err, data) {
             if (err) {