From 72e1b2a5b2708cadcc8d56333f7b5139a42d1433 Mon Sep 17 00:00:00 2001
From: Scott George <sgeorge74@gmail.com>
Date: Wed, 24 Dec 2025 11:52:24 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 5: Uncontrolled
 data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 scripts/serve.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/scripts/serve.js b/scripts/serve.js
index 2f0ec6b..529698f 100644
--- a/scripts/serve.js
+++ b/scripts/serve.js
@@ -25,8 +25,15 @@ const mimeTypes = {
 
 const server = http.createServer((req, res) => {
   const parsedUrl = url.parse(req.url);
-  const safePath = path.normalize(parsedUrl.pathname || '/').replace(/^\.\.(\/|\\)/, '');
-  let pathname = path.join(rootDir, safePath);
+  const safePath = parsedUrl.pathname || '/';
+  // Resolve against rootDir and ensure the final path stays within rootDir
+  let pathname = path.resolve(rootDir, '.' + safePath);
+
+  if (!pathname.startsWith(rootDir + path.sep) && pathname !== rootDir) {
+    res.statusCode = 403;
+    res.end('Forbidden');
+    return;
+  }
 
   if (fs.existsSync(pathname) && fs.statSync(pathname).isDirectory()) {
     pathname = path.join(pathname, 'index.html');