fix: server: route: path traversal

server/route.mjs

@@ -77,7 +77,11 @@ async function route({config, options, request, response}) {
     const rootName = name.replace(CloudFunc.FS, '') || '/';
     const fullPath = root(rootName, config('root'));
     
+    if (fullPath.indexOf(config('root')))
+        return ponse.sendError(Error(`Path '${fullPath}' beyond root '${config('root')}'`), p);
+    
     const {html, win32} = options;
+    
     const read = getReadDir(config, {
         win32,
     });

test/rest/fs.mjs

@@ -18,3 +18,10 @@ test('cloudcmd: rest: fs: path', async (t) => {
     t.equal(path, '/', 'should dir path be "/"');
     t.end();
 });
+
+test('cloudcmd: path traversal beyond root', async (t) => {
+    const {body} = await request.get('/fs..%2f..%2fetc/passwd');
+    
+    t.match(body, 'beyond root', 'should return beyond root message');
+    t.end();
+});