A contributor was nice enough to run a full fetched grayhat attack on my website to look for security vulnerabilities and one of the critical ones that we discovered is that server-static allows you to access sub directories towards to root directory and onwards.

For example you may use serve-static to server public files such as js and css from the root onwards so domain.com/js and domain.com/css would route to <project_directory>/public/css and <project_directory>/public/js but believe it or not the user can actually take advantage of that to navigate to sub directories.

a sample request may be domain.com/a//%5c../%5c../%5c../%5c../%5c../%5c../%5c../etc/passwd/1

while of course luckily the web app runs on a dedicated user which only has access to the www directory it would return with a forbidden error I still believe that this is a critical error that needs to be solved.

If any more information is required then I'd be happy to respond and support you guys with fixing this problem by providing you with more information if required and even stack traces.

If this is critical, please email me rather than posting on a public web site that everyone can read to attack any web site now. To proceed, please provide me the version of Node.js you are using, the version of this library, an example app that has this issue and the request to make to it. Feel free to provide these details by email (my email in in my GitHub profile).

So after discussing over email and some code/stack trace sharing, it seems like rather than outside content sharing, this may have been confusion over why this module is causing a Error: Forbidden. I believe @nallown was thinking it was caused by actually accessing the flies outside the root and getting a file system permission error. Rather, from the gathered stack traces, it was this module detecting that the URL would have resulted in a file access outside the root and just issued a 403 Forbidden response instead of attempting any outside access.

@nallown please chime in if this summary doesn't sound right :)

Sounds right to me, exactly as mentioned.
Thanks for the support @dougwilson :)

Alright, this is finally implemented! By default this will just next() out of the middleware if the access is to outside the root. This is configurable with the new fallthough option.