Fix path traversal vulnerability in static file serving

2026-02-20 16:08:25 -08:00 · 2026-02-20 16:08:25 -08:00 · 268cb9482a
commit 268cb9482a
parent 1b908f8ba3
1 changed files with 3 additions and 2 deletions
--- a/src/index.tsx
+++ b/src/index.tsx
@ -1,4 +1,4 @@
-import { join } from 'path'
+import { join, resolve } from 'path'
 import { render as formatHTML } from './lib/html-formatter'
 import { type Context, Hono, type Schema, type Env } from 'hono'
 import { serveStatic } from 'hono/bun'
@ -174,7 +174,8 @@ export class Hype<

    // serve transpiled js
    this.on('GET', ['/client/:path{.+}', '/shared/:path{.+}'], async c => {
-      const reqPath = './src/' + c.req.path.replace('..', '.')
+      const reqPath = resolve('./src/', c.req.path.slice(1))
+      if (!reqPath.startsWith(resolve('./src/'))) return render404(c)

      // strip known extension to get base path
      const base = reqPath.replace(/\.(js|jsx|ts|tsx)$/, '')