From 6e948a9d27885bf09ba71049a350f352d79667bd Mon Sep 17 00:00:00 2001
From: bluefchen <247527761@qq.com>
Date: Mon, 24 Nov 2025 14:45:10 +0000
Subject: [PATCH] fix(server): normalize file path with resolve to block
 traversal

---
 packages/core/src/server/server.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/core/src/server/server.ts b/packages/core/src/server/server.ts
index d39aaf3..c9f3c1c 100644
--- a/packages/core/src/server/server.ts
+++ b/packages/core/src/server/server.ts
@@ -50,7 +50,7 @@ export function createServer(
     const params = new URLSearchParams(req.url.slice(1));
     let file = decodeURIComponent(params.get('file') as string);
     if (ProjectRootPath && !path.isAbsolute(file)) {
-      file = `${ProjectRootPath}/${file}`;
+      file = path.resolve(ProjectRootPath, file);
     }
     if (
       options?.pathType === 'relative' &&