fix: add path containment check in View.prototype.lookup()

View.prototype.lookup() used path.resolve(root, name) without verifying
the resolved path stayed within the configured views directory. This
inconsistency with res.sendFile() (which uses the send library root
containment check) could allow path traversal when user input is passed
to res.render() unsanitized.

Added a containment check that skips any resolved path not starting with
resolve(root) + sep. Absolute paths are intentionally exempted since
Express supports passing absolute paths directly to res.render().

Fixes #7140

Author: som14062005

lib/view.js

@@ -103,7 +103,6 @@ function View(name, options) {
  * @private
  */
 
-// ← ONLY ONE View.prototype.lookup — the fixed version (Bug 2 fix)
 View.prototype.lookup = function lookup(name) {
   var path;
   var roots = [].concat(this.root);
@@ -176,7 +175,6 @@ View.prototype.render = function render(options, callback) {
  * @private
  */
 
-// ← View.prototype.resolve RESTORED (Bug 3 fix)
 View.prototype.resolve = function resolve(dir, file) {
   var ext = this.ext;