Local file inclusion in JS written app

I am working on a project which requires the name of the page as a query parameter ‘path’ and the app stores path variable as res.query.path, so I’m concerned about LFI because my manager asked me to pay attention to it specifically. The app is using JS(express) and no PHP, so my first question is if the input is not handled carefully is it still vulnerable to PHP wrappers? and secondly, I’ve written a small function to sanitize user input, please tell if it vulnerable in an environment where path parameter is being prepended using: function prepare(dir){ return path.resolve('./public/' + dir) } for getting absolute path. and then used as input to res.sendFile().The following code removes the first character if not alphanumeric

function strip(dir){ const regex = /^[a-z0-9]$  /im  if(!regex.test(dir[0])){     if(dir.length > 0){         return strip(dir.slice(1))     }     return '' }  return dir } 

To be on the safe side I’ve also added

//Prevent directory traversal attack function preventTraversal(dir){     if(dir.includes('../')){         let res = dir.replace('../', '')         return preventTraversal(res) }   //In case people want to test locally on windows if(dir.includes('..\')){     let res = dir.replace('..\', '')     return preventTraversal(res) } return dir } 

The app’s request flow goes like this:let path=req.query.path => uses path=strip(path) => path =preventTraversal(path) => res.sendFile(prepare(page))