fix(static): prevent path traversal via percent-encoded dot segments

Author: pi0

src/utils/static.ts

@@ -81,6 +81,13 @@ export async function serveStatic(
     withLeadingSlash(withoutTrailingSlash(parseURL(event.path).pathname)),
   );
 
+  if (originalId.includes("..")) {
+    if (!options.fallthrough) {
+      throw createError({ statusCode: 404 });
+    }
+    return false;
+  }
+
   const acceptEncodings = parseAcceptEncoding(
     getRequestHeader(event, "accept-encoding"),
     options.encodings,

test/static.test.ts

@@ -1,3 +1,4 @@
+import { request as httpRequest } from "node:http";
 import supertest, { SuperTest, Test } from "supertest";
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
 import {
@@ -108,4 +109,32 @@ describe("Serve Static", () => {
     const res = await request.post("/test.png");
     expect(res.status).toEqual(405);
   });
+
+  it("Prevents path traversal via percent-encoded dot segments", async () => {
+    const listener = toNodeListener(app);
+    const server = await import("node:http").then((m) =>
+      m.createServer(listener),
+    );
+    await new Promise<void>((resolve) => server.listen(0, resolve));
+    const port = (server.address() as any).port;
+    try {
+      const res = await new Promise<{ statusCode: number }>((resolve) => {
+        httpRequest(
+          {
+            hostname: "127.0.0.1",
+            port,
+            path: "/%2e%2e/%2e%2e/etc/passwd",
+            method: "GET",
+          },
+          (res) => resolve({ statusCode: res.statusCode! }),
+        ).end();
+      });
+      expect(serveStaticOptions.getMeta).not.toHaveBeenCalledWith(
+        expect.stringContaining(".."),
+      );
+      expect(res.statusCode).toEqual(404);
+    } finally {
+      server.close();
+    }
+  });
 });