package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hono/node-server",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "description": "Node.js Adapter for Hono",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

src/request.ts

@@ -3,6 +3,7 @@
 
 import type { IncomingMessage } from 'node:http'
 import type { Http2ServerRequest } from 'node:http2'
+import { resolve } from 'node:path'
 import { Readable } from 'node:stream'
 
 const newRequestFromIncoming = (
@@ -41,7 +42,13 @@ const requestPrototype: Record<string | symbol, any> = {
   },
 
   get url() {
-    return `http://${this[incomingKey].headers.host}${this[incomingKey].url}`
+    let path = this[incomingKey]['path']
+    if (!path) {
+      const originalPath = this[incomingKey].url
+      path = /\.\./.test(originalPath) ? resolve(originalPath) : originalPath
+      this[incomingKey]['path'] = path
+    }
+    return `http://${this[incomingKey].headers.host}${path}`
   },
 
   [getRequestCache]() {

test/assets/secret.txt

@@ -0,0 +1 @@
+secret

test/request.test.ts

@@ -17,4 +17,17 @@ describe('Request', () => {
     expect(req.url).toBe('http://localhost/')
     expect(req.headers.get('host')).toBe('localhost')
   })
+
+  it('Should resolve double dots in URL', async () => {
+    const req = newRequest({
+      headers: {
+        host: 'localhost',
+      },
+      url: '/static/../foo.txt',
+    } as IncomingMessage)
+    expect(req).toBeInstanceOf(global.Request)
+    expect(req.url).toBe('http://localhost/foo.txt')
+    // Check if cached value is returned correctly
+    expect(req.url).toBe('http://localhost/foo.txt')
+  })
 })

test/serve-static.test.ts

@@ -129,4 +129,9 @@ describe('Serve Static Middleware', () => {
       './not-found/on-not-found/foo.txt is not found, request to /on-not-found/foo.txt'
     )
   })
+
+  it('Should handle double dots in URL', async () => {
+    const res = await request(server).get('/static/../secret.txt')
+    expect(res.status).toBe(404)
+  })
 })