SECURITY FIX

* Do not allow relative paths to route outside of www static root area

core/servers/content/web.js

@@ -215,20 +215,22 @@ exports.getModule = class WebServerModule extends ServerModule {
 
     routeIndex(req, resp) {
         const filePath = paths.join(Config().contentServers.web.staticRoot, 'index.html');
-
         return this.returnStaticPage(filePath, resp);
     }
 
     routeStaticFile(req, resp) {
         const fileName = req.url.substr(req.url.indexOf('/', 1));
-        const filePath = paths.join(Config().contentServers.web.staticRoot, fileName);
+        const filePath = this.resolveStaticPath(fileName);
-
         return this.returnStaticPage(filePath, resp);
     }
 
     returnStaticPage(filePath, resp) {
         const self = this;
 
+        if (!filePath) {
+            return this.fileNotFound(resp);
+        }
+
         fs.stat(filePath, (err, stats) => {
             if(err || !stats.isFile()) {
                 return self.fileNotFound(resp);
@@ -245,6 +247,14 @@ exports.getModule = class WebServerModule extends ServerModule {
         });
     }
 
+    resolveStaticPath(requestPath) {
+        const staticRoot = _.get(Config(), 'contentServers.web.staticRoot');
+        const path = paths.resolve(staticRoot, `.${requestPath}`);
+        if (path.startsWith(staticRoot)) {
+            return path;
+        }
+    }
+
     routeTemplateFilePage(templatePath, preprocessCallback, resp) {
         const self = this;