CodeQL: Uncontrolled data used in path expression

We use the URL path to construct the location of the static file to serve. If we don't sanitize this path, the attacker may traverse over directories (e.g., by providing the ../../ prefix) to read filesystem files. The vurnerability is available for unprivileged users.