Accessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files. Paths that are naively constructed from data controlled by a user may be absolute paths, or may contain unexpected special characters such as "..". Such a path could point anywhere on the file system.

Description
This PR fixes multiple path traversal vulnerabilities and strengthens input validation to ensure safe filesystem access.

• web/handler.go (parseImportMap)

  • Normalize and resolve both AppDir and user-supplied paths before file access.
  • Reject requests if the resolved path escapes AppDir.
  • Return "Invalid file name" for invalid input.

• server/npmrc.go (NewNpmRcFromJSON)

  • Validate zoneId to allow only alphanumeric characters, dashes, and underscores (^[\w\-]+$).
  • Reject unsafe values containing separators, dots, or disallowed characters.
  • Enforce optional length limits.

• server/build_resolver.go (validateJSFile)

  • Ensure constructed filenames resolve strictly within the safe root (ctx.wd/node_modules/pkgName).
  • Apply absolute path resolution and strict prefix validation.
  • Reject attempts to access files outside the target package directory.

• internal/storage/storage_fs.go

  • Added a helper function to validate all user-supplied keys/paths.
  • Confirm resolved paths remain within the configured storage root.
  • Updated Stat, Get, Put, Delete, DeleteAll, and List to use the validated paths.

Notes

• All fixes use the Go standard library (path/filepath, strings, regexp).
• These changes mitigate directory traversal attacks and improve overall security of filesystem operations.