Fix the forbidden path checking function, and add test cases, where it would fail before the fix

src/utils/forbiddenPaths.js

@@ -54,16 +54,23 @@ function isIndexOfForbiddenPath(decodedHref, match) {
   if (typeof forbiddenPath === "string") {
     const forbiddenPathLower = isWin32 ? forbiddenPath.toLowerCase() : null;
     return isWin32
-      ? decodedHrefLower.indexOf(forbiddenPathLower) == 0
+      ? decodedHrefLower === forbiddenPathLower ||
-      : decodedHref.indexOf(forbiddenPath) == 0;
+          decodedHrefLower.indexOf(forbiddenPathLower + "/") == 0
+      : decodedHref === forbiddenPath ||
+          decodedHref.indexOf(forbiddenPath + "/") == 0;
   }
 
   if (typeof forbiddenPath === "object") {
     return isWin32
       ? forbiddenPath.some(
-          (path) => decodedHrefLower.indexOf(path.toLowerCase()) == 0,
+          (path) =>
+            decodedHrefLower === path.toLowerCase() ||
+            decodedHrefLower.indexOf(path.toLowerCase() + "/") == 0,
         )
-      : forbiddenPath.some((path) => decodedHref.indexOf(path) == 0);
+      : forbiddenPath.some(
+          (path) =>
+            decodedHref === path || decodedHref.indexOf(path + "/") == 0,
+        );
   }
 
   return false;

tests/utils/forbiddenPaths.test.js

@@ -117,6 +117,13 @@ describe("Forbidden paths handling", () => {
       expect(
         isIndexOfForbiddenPath("/notforbidden/", "serverSideScriptDirectories"),
       ).toBe(false);
+      expect(isIndexOfForbiddenPath("/config.json.fake", "config")).toBe(false);
+      expect(
+        isIndexOfForbiddenPath(
+          "/node_modules_fake/",
+          "serverSideScriptDirectories",
+        ),
+      ).toBe(false);
     });
 
     test("should handle case insensitivity on Windows", () => {