Security: Fix Path Traversal Vulnerability in Python Static Content Server (#915)

* security: fix path traversal vulnerability in static server

* security: simplify path traversal fix using maintainer suggested regex

* security: fix(regex): add back '@' character to support vite tests

* style: run lint, format, and mypy via nox

Author: JoshuaProvoste

python/neuroglancer/server.py

@@ -44,9 +44,7 @@
 
 MESH_PATH_REGEX = r"^/neuroglancer/mesh/(?P<key>[^/]+)/(?P<object_id>[0-9]+)$"
 
-STATIC_PATH_REGEX = (
-    r"^/v/(?P<viewer_token>[^/]+)/(?P<path>(?:[@a-zA-Z0-9_\-][@a-zA-Z0-9_\-./]*)?)$"
-)
+STATIC_PATH_REGEX = r"^/v/(?P<viewer_token>[^/]+)/(?P<path>(?:[a-zA-Z0-9_@\-][a-zA-Z0-9_@\-.]*(?:/[a-zA-Z0-9_@\-][a-zA-Z0-9_@\-.]*)*)?)$"
 
 ACTION_PATH_REGEX = r"^/action/(?P<viewer_token>[^/]+)$"