From 1bb02da4fcd60117778bb0fa969fcf4bb9b786d2 Mon Sep 17 00:00:00 2001
From: Dorian Niemiec <dorian.niemiec@svrjs.org>
Date: Sun, 31 Mar 2024 17:59:15 +0200
Subject: [PATCH] Change regular expression for "poor mans" URL sanitizer

---
 .../_posts/How-to-create-static-HTTP-server-in-Node-JS.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/source/_posts/How-to-create-static-HTTP-server-in-Node-JS.md b/source/_posts/How-to-create-static-HTTP-server-in-Node-JS.md
index ad1535b..225c49c 100644
--- a/source/_posts/How-to-create-static-HTTP-server-in-Node-JS.md
+++ b/source/_posts/How-to-create-static-HTTP-server-in-Node-JS.md
@@ -147,7 +147,7 @@ But we have introduced path traversal vulnerability! (being able to access file
     var server = http.createServer(function (req, res) {
       var filename = "." + req.url;
       if(req.url == "/") filename = "./index.html";
-      filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
+      filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.?(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
       fs.readFile(filename, function(err, data) {
         if(err) {
           if(err.code == "ENOENT") {
@@ -185,7 +185,7 @@ That might work fine for HTML files, but if you try other files, there will be c
     var server = http.createServer(function (req, res) {
       var filename = "." + req.url;
       if(req.url == "/") filename = "./index.html";
-      filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
+      filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.?(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
       var ext = path.extname(filename).substr(1); //path.extname gives "." character, so we're using substr(1) method.
       fs.readFile(filename, function(err, data) {
         if(err) {
@@ -225,7 +225,7 @@ But with query strings, it will fail. To prevent that, we'll be using WHATWG URL
       var urlObject = new URL(req.url, "http://localhost");
       var filename = "." + urlObject.pathname;
       if(req.url == "/") filename = "./index.html";
-      filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
+      filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.?(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
       var ext = path.extname(filename).substr(1); //path.extname gives "." character, so we're using substr(1) method.
       fs.readFile(filename, function(err, data) {
         if(err) {
@@ -275,7 +275,7 @@ It's nearly finished! But encoded URLs will not work. To fix that, we will use `
         return;
       }
       if(req.url == "/") filename = "./index.html";
-      filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
+      filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.?(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
       var ext = path.extname(filename).substr(1); //path.extname gives "." character, so we're using substr(1) method.
       fs.readFile(filename, function(err, data) {
         if(err) {