Prevent DoS attack

[Zarel]

A pathname containing U+0000 NULL will crash fs.stat with the error message "TypeError [ERR_INVALID_ARG_VALUE]: The argument 'path' must be a string or Uint8Array without null bytes."

This commit prevents node-static from crashing.

[tchakabam]

shouldn't this be related to / fixed in the specific Node runtime in use?

[Zarel]

It looks like this is new in Node.js v10:

https://alexatnet.com/node-js-10-important-changes/#fs-2

In previous Node versions, it would be passed as an error to the fs.stat callback, so it would respond with a 404:

        fs.stat(pathname, function (e, stat) {
            if (e) {
                finish(404, {});

But in Node 10 and later, fs.stat instead synchronously throws an error.

[Zarel]

https://github.com/nodejs/node/pull/18308

is the change in Node.js that led to this regression.

[lovasoa]

This is a serious security issue. What is the state of this PR ?

[kashif-m]

Why is this still not closed? 🤔

[brettz9]

Closing as #227 avoids need for this PR.