Merge commit from fork

yusukebe · web-flow · commit 025c30f55d58 · 2026-04-07T12:49:03.000+09:00
diff --git a/src/serve-static.ts b/src/serve-static.ts
@@ -111,7 +111,7 @@ export const serveStatic = <E extends Env = any>(
     } else {
       try {
         filename = tryDecodeURI(c.req.path)
-        if (/(?:^|[\/\\])\.\.(?:$|[\/\\])/.test(filename)) {
+        if (/(?:^|[\/\\])\.{1,2}(?:$|[\/\\])|[\/\\]{2,}/.test(filename)) {
           throw new Error()
         }
       } catch {
diff --git a/test/serve-static.test.ts b/test/serve-static.test.ts
@@ -381,6 +381,9 @@ describe('Serve Static Middleware', () => {
       expect(res2.status).toBe(404)
       expect(res2.headers['x-authorized']).toBeUndefined()
       expect(res2.text).not.toBe('secret')
+
+      const res3 = await request(server).get('/static//admin/secret.txt')
+      expect(res3.status).toBe(404)
     })
   })
 

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ export const serveStatic = <E extends Env = any>(`
`111`	`111`	`} else {`
`112`	`112`	`try {`
`113`	`113`	`filename = tryDecodeURI(c.req.path)`
`114`		`- if (/(?:^\|[\/\\])\.\.(?:$\|[\/\\])/.test(filename)) {`
	`114`	`+ if (/(?:^\|[\/\\])\.{1,2}(?:$\|[\/\\])\|[\/\\]{2,}/.test(filename)) {`
`115`	`115`	`throw new Error()`
`116`	`116`	`}`
`117`	`117`	`} catch {`