fix CodeQL warning for path-injection (#9243)

js/web/test/e2e/run.js

@@ -93,6 +93,7 @@ async function testAllBrowserCases({ hostInKarma }) {
 }
 
 async function runKarma({ hostInKarma, main, browser }) {
+  fs.emptyDirSync(CHROME_USER_DATA_FOLDER);
   const selfHostFlag = hostInKarma ? '--self-host' : '';
   await runInShell(
     `npx karma start --single-run --browsers ${browser} ${selfHostFlag} --test-main=${main} --user-data=${CHROME_USER_DATA_FOLDER}`);

js/web/test/e2e/simple-http-server.js

@@ -6,58 +6,54 @@
 // this is a simple HTTP server that enables CORS.
 // following code is based on https://developer.mozilla.org/en-US/docs/Learn/Server-side/Node_server_without_framework
 
-var http = require('http');
-var fs = require('fs');
-var path = require('path');
+const http = require('http');
+const fs = require('fs');
+const path = require('path');
 
-var simpleProxies = {
-  './ort-wasm.wasm': './ort-wasm.wasm'
+const validRequests = {
+  // .wasm files
+  '/dist/ort-wasm.wasm': ['dist/ort-wasm.wasm', 'application/wasm'],
+  '/dist/ort-wasm-simd.wasm': ['dist/ort-wasm-simd.wasm', 'application/wasm'],
+  '/dist/ort-wasm-threaded.wasm': ['dist/ort-wasm-threaded.wasm', 'application/wasm'],
+  '/dist/ort-wasm-simd-threaded.wasm': ['dist/ort-wasm-simd-threaded.wasm', 'application/wasm'],
+
+  // proxied .wasm files:
+  '/test-wasm-path-override/ort-wasm.wasm': ['dist/ort-wasm.wasm', 'application/wasm'],
+  //'/test-wasm-path-override/renamed.wasm': ['dist/ort-wasm.wasm', 'application/wasm'],
+
+  // .js files
+  '/dist/ort.min.js': ['dist/ort.min.js', 'text/javascript'],
+  '/dist/ort.js': ['dist/ort.js', 'text/javascript'],
 };
 
 module.exports = function (dir) {
   http.createServer(function (request, response) {
     console.log('request ', request.url);
 
-    var filePath = '.' + (simpleProxies[request.url] ?? request.url);
-
-    var extname = String(path.extname(filePath)).toLowerCase();
-    var mimeTypes = {
-      '.html': 'text/html',
-      '.js': 'text/javascript',
-      '.css': 'text/css',
-      '.json': 'application/json',
-      '.png': 'image/png',
-      '.jpg': 'image/jpg',
-      '.gif': 'image/gif',
-      '.svg': 'image/svg+xml',
-      '.wav': 'audio/wav',
-      '.mp4': 'video/mp4',
-      '.woff': 'application/font-woff',
-      '.ttf': 'application/font-ttf',
-      '.eot': 'application/vnd.ms-fontobject',
-      '.otf': 'application/font-otf',
-      '.wasm': 'application/wasm'
-    };
-
-    var contentType = mimeTypes[extname] || 'application/octet-stream';
-
-    fs.readFile(path.resolve(dir, filePath), function (error, content) {
-      if (error) {
-        if (error.code == 'ENOENT') {
-          response.writeHead(404);
-          response.end('404');
+    const requestData = validRequests[request.url];
+    if (!request) {
+      response.writeHead(404);
+      response.end('404');
+    } else {
+      const [filePath, contentType] = requestData;
+      fs.readFile(path.resolve(dir, filePath), function (error, content) {
+        if (error) {
+          if (error.code == 'ENOENT') {
+            response.writeHead(404);
+            response.end('404');
+          }
+          else {
+            response.writeHead(500);
+            response.end('500');
+          }
         }
         else {
-          response.writeHead(500);
-          response.end('500');
+          response.setHeader('access-control-allow-origin', '*');
+          response.writeHead(200, { 'Content-Type': contentType });
+          response.end(content, 'utf-8');
         }
-      }
-      else {
-        response.setHeader('access-control-allow-origin', '*');
-        response.writeHead(200, { 'Content-Type': contentType });
-        response.end(content, 'utf-8');
-      }
-    });
+      });
+    }
 
   }).listen(8081);
   console.log('Server running at http://127.0.0.1:8081/');