Merge pull request microsoft#390 from microsoft/sfi-issue-fix

fix: SFI issue fix

Author: Prajwal-Microsoft

src/frontend/frontend_server.py

@@ -50,13 +50,14 @@ async def get_config():
 
 @app.get("/{full_path:path}")
 async def serve_app(full_path: str):
-    # First check if file exists in build directory
-    file_path = os.path.join(BUILD_DIR, full_path)
-    if os.path.exists(file_path):
+    # Remediation: normalize and check containment before serving
+    file_path = os.path.normpath(os.path.join(BUILD_DIR, full_path))
+    # Block traversal and dotfiles
+    if not file_path.startswith(BUILD_DIR) or ".." in full_path or "/." in full_path or "\\." in full_path:
+        return FileResponse(INDEX_HTML)
+    if os.path.isfile(file_path):
         return FileResponse(file_path)
-    # Otherwise serve index.html for client-side routing
     return FileResponse(INDEX_HTML)
 
-
 if __name__ == "__main__":
     uvicorn.run(app, host="127.0.0.1", port=3000)