From c3f53d2d354a136b78990e29cc350b6245c2bc9d Mon Sep 17 00:00:00 2001
From: Alejandro Romero Herrera <alromh87@gmail.com>
Date: Fri, 4 Sep 2020 21:07:56 +0300
Subject: [PATCH 1/2] Fix Path traversal vulnerability

---
 index.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index 09f2857..894b72b 100644
--- a/index.js
+++ b/index.js
@@ -16,6 +16,7 @@ var requestListener = function (request, response) {
     var path = process.cwd();
     var delay = (0.5 + (Math.random() / 2)) * 100;
 
+    request.url = request.url.replace(/(\.\.)/g, '');
     if (request.url.indexOf('/api') === 0) {
 
         path += querystring.unescape(request.url).slice(4);
@@ -103,4 +104,4 @@ var requestListener = function (request, response) {
 
 var server = http.createServer(requestListener);
 server.listen(8080);
-console.log('Sever listen on localhost:8080');
\ No newline at end of file
+console.log('Sever listen on localhost:8080');

From 5bec24fb712034488b635f9e22ea64d90267813f Mon Sep 17 00:00:00 2001
From: Alejandro Romero Herrera <alromh87@gmail.com>
Date: Mon, 7 Sep 2020 22:38:57 +0300
Subject: [PATCH 2/2] Fix after unescape

---
 index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.js b/index.js
index 894b72b..2b550d8 100644
--- a/index.js
+++ b/index.js
@@ -19,7 +19,7 @@ var requestListener = function (request, response) {
     request.url = request.url.replace(/(\.\.)/g, '');
     if (request.url.indexOf('/api') === 0) {
 
-        path += querystring.unescape(request.url).slice(4);
+        path += querystring.unescape(request.url).slice(4).replace(/(\.\.)/g, '');
 
         var pathStat = fs.lstatSync(path);
         console.log('reqbody', request.body);