Merge commit from fork

yusukebe · web-flow · commit 455015be1697 · 2026-03-03T19:28:08.000+09:00
diff --git a/src/serve-static.ts b/src/serve-static.ts
@@ -68,6 +68,25 @@ const getStats = (path: string) => {
   return stats
 }
 
+type Decoder = (str: string) => string
+
+const tryDecode = (str: string, decoder: Decoder): string => {
+  try {
+    return decoder(str)
+  } catch {
+    // Decode only valid %xx sequences in chunks; keep undecodable parts as-is
+    return str.replace(/(?:%[0-9A-Fa-f]{2})+/g, (match) => {
+      try {
+        return decoder(match)
+      } catch {
+        return match
+      }
+    })
+  }
+}
+
+const tryDecodeURI = (str: string) => tryDecode(str, decodeURI)
+
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 export const serveStatic = <E extends Env = any>(
   options: ServeStaticOptions<E> = { root: '' }
@@ -91,7 +110,7 @@ export const serveStatic = <E extends Env = any>(
       filename = optionPath
     } else {
       try {
-        filename = decodeURIComponent(c.req.path)
+        filename = tryDecodeURI(c.req.path)
         if (/(?:^|[\/\\])\.\.(?:$|[\/\\])/.test(filename)) {
           throw new Error()
         }
diff --git a/test/assets/static/admin/secret.txt b/test/assets/static/admin/secret.txt
@@ -0,0 +1 @@
+secret
diff --git a/test/serve-static.test.ts b/test/serve-static.test.ts
@@ -330,7 +330,7 @@ describe('Serve Static Middleware', () => {
     })
   })
 
-  describe('Security tests', () => {
+  describe('Path traversal security tests', () => {
     const app = new Hono()
     const server = createAdaptorServer(app)
     app.use('/static/*', serveStatic({ root: './test/assets' }))
@@ -361,6 +361,29 @@ describe('Serve Static Middleware', () => {
     })
   })
 
+  describe('Path mismatch security tests', () => {
+    const app = new Hono()
+    const server = createAdaptorServer(app)
+
+    app.use('/static/admin/*', async (c, next) => {
+      c.header('X-Authorized', 'true')
+      await next()
+    })
+
+    app.use('/static/*', serveStatic({ root: './test/assets' }))
+
+    it('Should not allow bypass via path mismatch between middleware and serveStatic', async () => {
+      const res = await request(server).get('/static/admin/secret.txt')
+      expect(res.headers['x-authorized']).toBe('true')
+      expect(res.text).toBe('secret')
+
+      const res2 = await request(server).get('/static/admin%2Fsecret.txt')
+      expect(res2.status).toBe(404)
+      expect(res2.headers['x-authorized']).toBeUndefined()
+      expect(res2.text).not.toBe('secret')
+    })
+  })
+
   describe('Stream error handling', () => {
     const testFile = path.join(__dirname, 'assets', 'static', 'plain.txt')
     console.log(testFile)
