From 43c447edd0c23db5a9acc477befa77a42826d1a3 Mon Sep 17 00:00:00 2001
From: Arunoda Susiripala <arunoda.susiripala@gmail.com>
Date: Thu, 1 Jun 2017 05:46:32 +0530
Subject: [PATCH] Implement the fix.

---
 server/index.js | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/server/index.js b/server/index.js
index 31ba009d..902d4061 100644
--- a/server/index.js
+++ b/server/index.js
@@ -1,4 +1,4 @@
-import { resolve, join } from 'path'
+import { resolve, join, sep } from 'path'
 import { parse as parseUrl } from 'url'
 import { parse as parseQs } from 'querystring'
 import fs from 'fs'
@@ -295,6 +295,10 @@ export default class Server {
   }
 
   async serveStatic (req, res, path) {
+    if (!this.isServeableUrl(path)) {
+      return this.render404(req, res)
+    }
+
     try {
       return await serveStatic(req, res, path)
     } catch (err) {
@@ -306,6 +310,19 @@ export default class Server {
     }
   }
 
+  isServeableUrl (path) {
+    const resolved = resolve(path)
+    if (
+      resolved.indexOf(join(this.dir, this.dist) + sep) !== 0 &&
+      resolved.indexOf(join(this.dir, 'static') + sep) !== 0
+    ) {
+      // Seems like the user is trying to traverse the filesystem.
+      return false
+    }
+
+    return true
+  }
+
   isInternalUrl (req) {
     for (const prefix of internalPrefixes) {
       if (prefix.test(req.url)) {