From ed99c3237f5d1d9d67a2e0a12f72e3f55a47f080 Mon Sep 17 00:00:00 2001
From: th0r <grunin.ya@ya.ru>
Date: Thu, 11 Apr 2019 13:44:42 +0300
Subject: [PATCH] Use relative links for serving internal assets

---
 src/viewer.js    | 9 ++++++++-
 views/script.ejs | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/viewer.js b/src/viewer.js
index ae4ab261..564039ac 100644
--- a/src/viewer.js
+++ b/src/viewer.js
@@ -14,6 +14,7 @@ const Logger = require('./Logger');
 const analyzer = require('./analyzer');
 
 const projectRoot = path.resolve(__dirname, '..');
+const assetsRoot = path.join(projectRoot, 'public');
 
 module.exports = {
   startServer,
@@ -169,7 +170,13 @@ async function generateReport(bundleStats, opts) {
 }
 
 function getAssetContent(filename) {
-  return fs.readFileSync(`${projectRoot}/public/${filename}`, 'utf8');
+  const assetPath = path.join(assetsRoot, filename);
+
+  if (!assetPath.startsWith(assetsRoot)) {
+    throw new Error(`"${filename}" is outside of the assets root`);
+  }
+
+  return fs.readFileSync(assetPath, 'utf8');
 }
 
 /**
diff --git a/views/script.ejs b/views/script.ejs
index 718c954f..37976abf 100644
--- a/views/script.ejs
+++ b/views/script.ejs
@@ -4,5 +4,5 @@
     <%- escapeScript(assetContent(filename)) %>
   </script>
 <% } else { %>
-  <script src="/<%= filename %>"></script>
+  <script src="<%= filename %>"></script>
 <% } %>