From 13b88acc1bc54181811e1ff9f21dbd23e169f4bb Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 18:37:06 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 async/App.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/async/App.js b/async/App.js
index 81724fe..2f578f4 100644
--- a/async/App.js
+++ b/async/App.js
@@ -164,6 +164,11 @@ const httpserver = http.createServer((req, res) => {
     let query = body.query;
     let pathname = body.pathname;
     res.setHeader("Server", "Nxiao/V5");
+    if (path.normalize(decodeURI(req.url)) !== decodeURI(req.url)) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
     if (pathname in routing) {
         routing[pathname](req, res);
     } else {