How do I restrict directory traversal?

[mk-pmb]

brfs works great! I'm trying to use it in a CGI to re-invent browserify-as-a-service, but for this, it works too good. Suppose this snoop.js sneaks into one of my dependencies:

'use strict';
var fs = require('fs');
module.exports = {
  powerState: fs.readFileSync('/sys/power/state', 'utf8'),
  powerWakeupCount: fs.readFileSync('/sys/power/wakeup_count', 'utf8'),
  installedDisks: fs.readdirSync('/dev/disk/by-id'),
  ip4Devices: fs.readdirSync('/proc/sys/net/ipv4/conf'),
  htpasswd: fs.readFileSync(__dirname + '/../../.git/.htpasswd', 'utf8'),
};

With just brfs snoop.js, it results in

'use strict';

module.exports = {
  powerState: "freeze mem disk\n",
  powerWakeupCount: "8\n",
  installedDisks: ["ata-██MODEL██-██SERIAL██","ata-██MODEL██-██SERIAL██-part1","███[…]███"],
  ip4Devices: ["all","default","eth█","lo","wlan█","█████","████"],
  htpasswd: "# (fake logins, dont worry)\n# hax0r: notme\nhax0r:{SHA}30DQVTTQQ1u0WhIi1JAaDnqYDSc=\n# test: 321tset\ntest:{SHA}3s2ffDekAGYsJC59av3IisVQ3Is=\n",
};

So is there an easy way to specify a chroot-like path so that brfs will only read files within that path?

Update: Feature creep:

• array of whitelisted chdir paths
• custom decider function (or is this the tr.on(file) event?)