From 6c410cb7340fdde9b78eace88ee5fca52fde54f7 Mon Sep 17 00:00:00 2001
From: Kamil Tunkiewicz <kamiltunkiewicz@currencyfair.com>
Date: Fri, 16 Oct 2020 19:41:17 +0200
Subject: [PATCH] properly handling relative paths

---
 cli/index.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/cli/index.ts b/cli/index.ts
index f3e18a55..814cb9ad 100644
--- a/cli/index.ts
+++ b/cli/index.ts
@@ -6,7 +6,7 @@ import { ServerStyleSheet } from 'styled-components';
 
 import { compile } from 'handlebars';
 import { createServer, IncomingMessage, ServerResponse } from 'http';
-import { dirname, join, resolve } from 'path';
+import { dirname, join, resolve, normalize, relative } from 'path';
 import { lookup } from 'mime-types';
 
 import * as zlib from 'zlib';
@@ -202,8 +202,9 @@ async function serve(port: number, pathToSpec: string, options: Options = {}) {
         'Content-Type': 'application/json',
       });
     } else {
-      if (options.static && options.static !== '' && request.url?.startsWith('/' + options.static)) {
-        const filePath = join(dirname(pathToSpec), request.url);
+      const filePath = normalize(join(dirname(pathToSpec), request.url || ''));
+      const relativePath = relative(dirname(pathToSpec), filePath);
+      if (options.static && options.static !== '' && relativePath.startsWith(options.static)) {
         const file = createReadStream(filePath);
         file.on('open', function () {
           response.setHeader('Content-Type', lookup(filePath) || 'text/plain');