fix vulnerability when serving /client/... files

Author: Conduitry

runtime/src/server/middleware/index.ts

@@ -106,15 +106,15 @@ export function serve({ prefix, pathname, cache_control }: {
 	const cache: Map<string, Buffer> = new Map();
 
 	const read = dev
-		? (file: string) => fs.readFileSync(path.resolve(build_dir, file))
-		: (file: string) => (cache.has(file) ? cache : cache.set(file, fs.readFileSync(path.resolve(build_dir, file)))).get(file)
+		? (file: string) => fs.readFileSync(path.join(build_dir, file))
+		: (file: string) => (cache.has(file) ? cache : cache.set(file, fs.readFileSync(path.join(build_dir, file)))).get(file)
 
 	return (req: Req, res: Res, next: () => void) => {
 		if (filter(req)) {
 			const type = lookup(req.path);
 
 			try {
-				const file = decodeURIComponent(req.path.slice(1));
+				const file = path.posix.normalize(decodeURIComponent(req.path));
 				const data = read(file);
 
 				res.setHeader('Content-Type', type);