Dangerous example

[bitdivine]

The example server.js:

var staticHandler = function(request, response) {
  var path = request.url;

  fs.readFile(__dirname + path, function(err, content) {

doesn't validate the url, so there is nothing stopping it from being e.g. /../spec/server.key (given a few lines later). Given that people are likely to copy the example, setting a safe precedent might be a good idea! :-)

[jcoglan]

That's a really good point, I don't want people to put that code in production. Is there a library for automatically sanitising the path? Otherwise I could add something like this to detect path traversal:

  if (/(^|\/)\.\.?(\/|$)/.test(path)) {
    // reject request
  }

I don't like how opaque that regex is but I also want to make this code safe.