Potential fix for code scanning alert no. 1: Uncontrolled data used in path expression

[ohgodwhy2k]

Potential fix for https://github.com/ohgodwhy2k/quicksite/security/code-scanning/1

To fix the problem, we need to validate the path derived from user input such that only files strictly underneath the project's DIST_ROOT can be served. This is best done by:

1. Constructing the target path with path.resolve() (after joining with the root), canonicalizing removal of .., etc.
2. Comparing the resulting absolute, normalized path to ensure it starts with the known absolute path for DIST_ROOT.
3. Only serve files when this check passes, otherwise respond with a 403 Forbidden or 404.

Update the scripts/serve.js in the handler for requests:

• At the top of the file, compute the canonical absolute path to DIST_ROOT once.
• Resolve requested file paths with path.resolve(), using canonical DIST_ROOT as the base.
• Before reading any file, check if the resolved path starts with the absolute DIST_ROOT path.
• If not, respond with a 403 forbidden and terminate the request.

You will also need to add an import for resolve and normalize if not already present (although resolve is available from node:path).

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.