fix(security): prevent path traversal in virtual host web hosting handler

[Copilot]

handleWebHosting passed c.Request.URL.Path directly to path.Join(vhost.Path, reqPath), allowing a crafted request like /../../../etc/passwd to escape the virtual host root and traverse into arbitrary filesystem paths via internalfs.Get/Link.

Changes

• Path sanitization: Strip the leading / with strings.TrimPrefix to force a relative path, then stdpath.Clean to resolve any ../. components
• Traversal rejection: Return HTTP 400 if the cleaned result starts with .. (escapes root) or / (absolute path injection) before joining with vhost.Path
• SPA .html fallback: Applied the same sanitized cleanedRel to the <path>.html fallback path, which was also using the raw reqPath

relPath := strings.TrimPrefix(reqPath, "/")
cleanedRel := stdpath.Clean(relPath)
if cleanedRel == "." {
    cleanedRel = ""
}
if cleanedRel == ".." || strings.HasPrefix(cleanedRel, "../") || strings.HasPrefix(cleanedRel, "/") {
    c.Status(http.StatusBadRequest)
    return true
}
filePath := stdpath.Join(vhost.Path, cleanedRel)

Attack example blocked: /../../../etc/passwd → after stripping /, Clean("../../../etc/passwd") = "../../../etc/passwd" → rejected by HasPrefix(cleanedRel, "../").

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.