diff --git a/src/viewer.js b/src/viewer.js
index ae4ab261..564039ac 100644
--- a/src/viewer.js
+++ b/src/viewer.js
@@ -14,6 +14,7 @@ const Logger = require('./Logger');
const analyzer = require('./analyzer');
const projectRoot = path.resolve(__dirname, '..');
+const assetsRoot = path.join(projectRoot, 'public');
module.exports = {
startServer,
@@ -169,7 +170,13 @@ async function generateReport(bundleStats, opts) {
}
function getAssetContent(filename) {
- return fs.readFileSync(`${projectRoot}/public/${filename}`, 'utf8');
+ const assetPath = path.join(assetsRoot, filename);
+
+ if (!assetPath.startsWith(assetsRoot)) {
+ throw new Error(`"${filename}" is outside of the assets root`);
+ }
+
+ return fs.readFileSync(assetPath, 'utf8');
}
/**
diff --git a/views/script.ejs b/views/script.ejs
index 718c954f..37976abf 100644
--- a/views/script.ejs
+++ b/views/script.ejs
@@ -4,5 +4,5 @@
<%- escapeScript(assetContent(filename)) %>
<% } else { %>
-
+
<% } %>