Merge commit from fork

yusukebe · web-flow · commit 751ba41ba26d · 2026-06-09T12:25:56.000+09:00
diff --git a/src/middleware/serve-static/index.test.ts b/src/middleware/serve-static/index.test.ts
@@ -79,6 +79,15 @@ describe('Serve Static Middleware', () => {
     expect(await res.text()).toBe('404 Not Found')
   })
 
+  it('Should not allow a backslash separator injection - /static/admin%5Csecret.txt', async () => {
+    const res = await app.fetch({
+      method: 'GET',
+      url: 'http://localhost/static/admin%5Csecret.txt',
+    } as Request)
+    expect(res.status).toBe(404)
+    expect(await res.text()).toBe('404 Not Found')
+  })
+
   it('Should return a pre-compressed zstd response - /static/hello.html', async () => {
     const app = new Hono().use(
       '*',
diff --git a/src/middleware/serve-static/index.ts b/src/middleware/serve-static/index.ts
@@ -64,7 +64,7 @@ export const serveStatic = <E extends Env = Env>(
     } else {
       try {
         filename = tryDecodeURI(c.req.path)
-        if (/(?:^|[\/\\])\.{1,2}(?:$|[\/\\])|[\/\\]{2,}/.test(filename)) {
+        if (/(?:^|[\/\\])\.{1,2}(?:$|[\/\\])|[\/\\]{2,}|\\/.test(filename)) {
           throw new Error()
         }
       } catch {

Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ export const serveStatic = <E extends Env = Env>(`
`64`	`64`	`} else {`
`65`	`65`	`try {`
`66`	`66`	`filename = tryDecodeURI(c.req.path)`
`67`		`- if (/(?:^\|[\/\\])\.{1,2}(?:$\|[\/\\])\|[\/\\]{2,}/.test(filename)) {`
	`67`	`+ if (/(?:^\|[\/\\])\.{1,2}(?:$\|[\/\\])\|[\/\\]{2,}\|\\/.test(filename)) {`
`68`	`68`	`throw new Error()`
`69`	`69`	`}`
`70`	`70`	`} catch {`