thgh · Jul 17, 2020 · Jul 17, 2020
Showing with 10 additions and 3 deletions.

+4 −0 CHANGELOG.md

+1 −1 package.json

+5 −2 src/index.js
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 All notable changes to `rollup-plugin-serve` will be documented in this file.
 
+## [1.0.2] - 2020-07-17
+### Fixed
+- Fix path traversal issue
+
 ## [1.0.1] - 2019-01-27
 ### Added
 - Add Intellisense support #34

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "rollup-plugin-serve",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Serve your rolled up bundle",
   "main": "dist/index.cjs.js",
   "module": "dist/index.es.js",

diff --git a/src/index.js b/src/index.js
@@ -1,7 +1,7 @@
 import { readFile } from 'fs'
 import { createServer as createHttpsServer } from 'https'
 import { createServer } from 'http'
-import { resolve } from 'path'
+import { resolve, normalize } from 'path'
 
 import mime from 'mime'
 import opener from 'opener'
@@ -26,7 +26,10 @@ function serve (options = { contentBase: '' }) {
 
   const requestListener = (request, response) => {
     // Remove querystring
-    const urlPath = decodeURI(request.url.split('?')[0])
+    const unsafePath = decodeURI(request.url.split('?')[0])
+
+    // Don't allow path traversal
+    const urlPath = normalize(unsafePath)
 
     Object.keys(options.headers).forEach((key) => {
       response.setHeader(key, options.headers[key])