fix(static): prevent path traversal via double-encoded dot segments

pi0 · pi0 · commit 8e9993fd43d7 · 2026-03-19T21:13:13.000+01:00
`%252e%252e` decodes to `%2e%2e` after `decodeURI()` which bypassed
`resolveDotSegments` since it only matched literal `..` segments
diff --git a/src/utils/internal/path.ts b/src/utils/internal/path.ts
@@ -56,25 +56,25 @@ export function getPathname(path: string = "/"): string {
  * Decode percent-encoded pathname, preserving %25 (literal `%`).
  */
 export function decodePathname(pathname: string): string {
-  return decodeURI(
-    pathname.includes("%25") ? pathname.replace(/%25/g, "%2525") : pathname,
-  );
+  return decodeURI(pathname.includes("%25") ? pathname.replace(/%25/g, "%2525") : pathname);
 }
 
 export function resolveDotSegments(path: string): string {
-  if (!path.includes(".")) {
+  if (!path.includes(".") && !path.includes("%2")) {
     return path;
   }
   // Normalize backslashes to forward slashes to prevent traversal via `\`
   const segments = path.replaceAll("\\", "/").split("/");
   const resolved: string[] = [];
   for (const segment of segments) {
-    if (segment === "..") {
+    // Decode percent-encoded dots (%2e/%2E) to catch double-encoded traversal
+    const normalized = segment.replace(/%2e/gi, ".");
+    if (normalized === "..") {
       // Never pop past the root (first empty segment from leading slash)
       if (resolved.length > 1) {
         resolved.pop();
       }
-    } else if (segment !== ".") {
+    } else if (normalized !== ".") {
       resolved.push(segment);
     }
   }
diff --git a/test/static.test.ts b/test/static.test.ts
@@ -130,6 +130,15 @@ describeMatrix("serve static", (t, { it, expect }) => {
     }
   });
 
+  it("does not pass double-encoded dot segments as traversal to backend", async () => {
+    const res = await t.fetch("/%252e%252e/%252e%252e/etc/passwd");
+    const text = await res.text();
+    // After first decode: %2e%2e/%2e%2e/etc/passwd
+    // Backend must NOT see %2e%2e which could be resolved as .. by downstream
+    expect(text).not.toContain("%2e%2e");
+    expect(text).not.toContain("%2E%2E");
+  });
+
   it("allows legitimate paths with dots", async () => {
     const allowed = [
       "/_...grid_123.js",
