From 3ee5d4a416553fe1711185e2be777d8200bc3bec Mon Sep 17 00:00:00 2001
From: Jon Dough <49297268+stjet@users.noreply.github.com>
Date: Wed, 28 Feb 2024 07:41:33 +0530
Subject: [PATCH] preview 404 page, preview security fix

404 page now shows when running preview
fix path traversal attack. preview.ts not meant to be used in production (this is a static site!), but hey
---
 preview.ts | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/preview.ts b/preview.ts
index cb620e1..2932569 100644
--- a/preview.ts
+++ b/preview.ts
@@ -11,11 +11,17 @@ createServer((req, res) => {
   } else {
     req_path = path.join(__dirname, "build", req.url);
   }
-  if (!existsSync(req_path)) {
-    res.writeHead(404);
-    //write file
-    res.write("404");
+  let status_code = 200;
+  //req.url.includes("..")
+  if (!req_path.startsWith(path.join(__dirname, "build"))) {
+    //nice try, bad request
+    res.writeHead(400);
+    res.write("400");
     return res.end();
+  } else if (!existsSync(req_path)) {
+    status_code = 404;
+    //serve 404 page instead of non-existent page
+    req_path = path.join(__dirname, "build", "404.html");
   }
   //set content type
   let non_utf8_content_types: string[] = ["image/png", "image/gif", "image/jpeg", "video/mp4"];
@@ -49,7 +55,7 @@ createServer((req, res) => {
     default:
       content_type = "text/plain";
   }
-  res.writeHead(200, {
+  res.writeHead(status_code, {
     "Content-Type": content_type,
   });
   //write file