Prevent path traversal (lukejacksonn#70)

Author: ooooooo-q

servor.js

@@ -152,7 +152,8 @@ module.exports = async ({
   // Start the server and route requests
 
   server((req, res) => {
-    const pathname = decodeURI(url.parse(req.url).pathname);
+    const decodePathname = decodeURI(url.parse(req.url).pathname);
+    const pathname = path.normalize(decodePathname).replace(/^(\.\.(\/|\\|$))+/, '');
     res.setHeader('access-control-allow-origin', '*');
     if (reload && pathname === '/livereload') return serveReload(res);
     if (!isRouteRequest(pathname)) return serveStaticFile(res, pathname);