use normalizeFilePath instead of URL

honojs · Sep 21, 2024 · 5f07dd7 · 5f07dd7
1 parent a93839a
commit 5f07dd7
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/src/utils/filepath.test.ts b/src/utils/filepath.test.ts
@@ -80,6 +80,17 @@ describe('getFilePath', () => {
     expect(
       getFilePath({ filename: 'foo.txt', root: slashToBackslash('/p/../p2'), allowAbsoluteRoot })
     ).toBe('/p2/foo.txt')
+    expect(
+      getFilePath({ filename: 'foo.txt', root: slashToBackslash('/p/.../p2'), allowAbsoluteRoot })
+    ).toBe('/p/.../p2/foo.txt')
+
+    expect(
+      getFilePathWithoutDefaultDocument({
+        filename: '/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
+        root: '/p/p2',
+        allowAbsoluteRoot: true,
+      })
+    ).toBe('/p/p2/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd') // /etc/passwd
   })
 })
 

diff --git a/src/utils/filepath.ts b/src/utils/filepath.ts
@@ -31,6 +31,24 @@ export const getFilePath = (options: FilePathOptions): string | undefined => {
   return path
 }
 
+const normalizeFilePath = (filePath: string) => {
+  const parts = filePath.split(/[\/\\]/)
+
+  const result = []
+
+  for (const part of parts) {
+    if (part === '' || part === '.') {
+      continue
+    } else if (part === '..') {
+      result.pop()
+    } else {
+      result.push(part)
+    }
+  }
+
+  return '/' + (result.length === 1 ? result[0] : result.join('/'))
+}
+
 export const getFilePathWithoutDefaultDocument = (
   options: Omit<FilePathOptions, 'defaultDocument'>
 ): string | undefined => {
@@ -61,9 +79,8 @@ export const getFilePathWithoutDefaultDocument = (
   } else {
     // assets => /assets
     path = path.replace(/^(?!\/)/, '/')
-    // Using URL to normalize the path.
-    const url = new URL(`file://${path}`)
-    path = url.pathname
+    // /assets/foo/../bar => /assets/bar
+    path = normalizeFilePath(path)
   }
 
   return path