fix(prerender): skip writing routes with .. or outside of public dir

Author: pi0

src/prerender/prerender.ts

@@ -154,8 +154,8 @@ export async function prerender(nitro: Nitro) {
   };
 
   const canWriteToDisk = (route: PrerenderRoute) => {
-    // Cannot write routes with query
-    if (route.route.includes("?")) {
+    // Cannot write routes with query or containing ..
+    if (route.route.includes("?") || route.route.includes("..")) {
       return false;
     }
 
@@ -291,8 +291,8 @@ export async function prerender(nitro: Nitro) {
     }
 
     // Write to the disk
-    if (canWriteToDisk(_route)) {
-      const filePath = join(nitro.options.output.publicDir, _route.fileName);
+    const filePath = join(nitro.options.output.publicDir, _route.fileName);
+    if (canWriteToDisk(_route) && filePath.startsWith(nitro.options.output.publicDir)) {
       await writeFile(filePath, dataBuff!);
       nitro._prerenderedRoutes!.push(_route);
     } else {