Add path traversal

Author: timursevimli

JavaScript/d-messenger/lib/static.js

@@ -28,6 +28,10 @@ module.exports = (root, port, console) => {
     .createServer(async (req, res) => {
       const url = req.url === '/' ? '/index.html' : req.url;
       const filePath = path.join(root, url);
+      if (!filePath.startsWith(root)) {
+        res.statusCode = 404;
+        return void res.end('"File is not found"');
+      }
       try {
         const data = await fs.promises.readFile(filePath);
         const fileExt = path.extname(filePath).substring(1);