From b99b96ac5c20eb4f0677675592ce31c7215f61cd Mon Sep 17 00:00:00 2001
From: Jafar Akhondali <jafar.akhoondali@gmail.com>
Date: Tue, 30 Jul 2024 18:46:19 +0200
Subject: [PATCH] Block malicious looking requests to prevent path traversal
 attacks.

---
 playwright/e2e-examples/e2e-tests/server/index.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/playwright/e2e-examples/e2e-tests/server/index.js b/playwright/e2e-examples/e2e-tests/server/index.js
index a0e50722..3df475c6 100644
--- a/playwright/e2e-examples/e2e-tests/server/index.js
+++ b/playwright/e2e-examples/e2e-tests/server/index.js
@@ -31,6 +31,12 @@ class Server {
         break;
 
       default:
+    if (path.normalize(decodeURI(req.url)) !== decodeURI(req.url)) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
+    
         const localFilePath = path.join(__dirname, 'assets', req.url === '/' ? 'index.html' : req.url);
         function shouldServe() {
           try {