Fix path traversal issue in createTemporaryNodeServer

The test-only createTemporaryNodeServer helper featured a path traversal
vulnerability. This enables attackers with network access to the device
to read arbitrary files while unit tests are running that activate this
test server.

This patch fixes the issue by validation of paths.

To test this vulnerability before the patch:

1. Run the test-only server:

```
node -e 'console.log(require("./test/unit/test_utils.js").createTemporaryNodeServer().port)
```

2. From another terminal, send the following request (modify the port to
   the port reported in the previous step):

```
curl --path-as-is http://localhost:45755/../../package.json
```

Before the patch, the second step would traverse the directory, and
return results from the root of the PDF.js repository, instead of files
within test/pdfs/.

With the patch, the server refuses the request with HTTP status 400.

test/unit/test_utils.js

@@ -127,9 +127,23 @@ function createTemporaryNodeServer() {
 
   const fs = process.getBuiltinModule("fs"),
     http = process.getBuiltinModule("http");
+  function isAcceptablePath(requestUrl) {
+    try {
+      // Reject unnormalized paths, to protect against path traversal attacks.
+      const url = new URL(requestUrl, "https://localhost/");
+      return url.pathname === requestUrl;
+    } catch {
+      return false;
+    }
+  }
   // Create http server to serve pdf data for tests.
   const server = http
     .createServer((request, response) => {
+      if (!isAcceptablePath(request.url)) {
+        response.writeHead(400);
+        response.end("Invalid path");
+        return;
+      }
       const filePath = process.cwd() + "/test/pdfs" + request.url;
       fs.promises.lstat(filePath).then(
         stat => {