build(dev-app): prevent directory traversal

Author: jelbourn

tools/dev-server/dev-server.ts

@@ -27,7 +27,7 @@ export class DevServer {
     port: this.port,
     notify: false,
     ghostMode: false,
-    server: true,
+    server: false,
     middleware: (req, res) => this._bazelMiddleware(req, res),
   };
 
@@ -59,7 +59,14 @@ export class DevServer {
    */
   private _bazelMiddleware(req: http.IncomingMessage, res: http.ServerResponse) {
     if (!req.url) {
-      res.end('No url specified. Error');
+      res.end('Error: No url specified');
+      return;
+    }
+
+    // Throw an error if the requested URL contains two consecutive `.` characters
+    // (%2e is `.` url-encoded).
+    if (/(\.|%2e){2,}/.test(req.url)) {
+      res.end('Error: Detected directory traversal');
       return;
     }