[tianma-static] Security issue with XSS.

I would like to report XSS in tianma-static It allows XSS and HTML Injection First of all, It is my first report and I am sorry that I am not good at English T.T thank you. # Module **module name:** tianma-static **version:** 1.0.4 **npm page:** `https://www.npmjs.com/package/tianma-static` ## Module Description > Provide a static file service. # Vulnerability ## Vulnerability Description 1) File content type when I look a CVE-2018-16474([CVE-2018-16474](https://www.cvedetails.com/cve/CVE-2018-16474/), #403692), I think that's vulnerability need arbitrary file(name) upload. If upload is possible, Attacker can upload `html` file. Also content type of the response header becomes `text/html` and it is possible to Stored XSS. {F506823} 2) HTML Injection (It can lead to reflected XSS) when a send `%2f` in path (example: http://127.0.0.1:8080/%2f), `resolve` function make a normal path on the filesystem. but `req.pathname` will print out a manipulated path. so I can insert any html. {F506824} Reflected XSS using HTML only is not easy bypass the modern browser. but if I can upload any file, Reflected XSS is possible Using load script. {F506825} ## Steps To Reproduce: 1) File content type > - upload html file with XSS script. > - xss fired 2) HTML Injection (reflected XSS) > - upload any file with XSS script. > - access `/%2f<script src='/[filename]'></script>` > - xss fired ## Patch 1. add content type header in response. 2. change `decodeURI` to `decodeURIComponent`. or denied malicious path. # Wrap up - I contacted the maintainer to let them know: N - I opened an issue in the related repository: N ## Impact If file upload is possible, XSS can occur.