Skip to content

fix: improve serve-static function #261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 20, 2025
Merged

fix: improve serve-static function #261

merged 3 commits into from
Jul 20, 2025

Conversation

usualoma
Copy link
Member

fix: enable to serve filename with double dots

As described in the hono core, filenames such as foo..bar.txt should be accepted.

https://github.com/honojs/hono/blob/530ab09ae10caf33903dfb677dff239df01d5ded/src/utils/filepath.test.ts#L13-L17

refactor: simplify serve-static() function

Security check

Since the only untrusted string is c.req.path, I think the check should only be done in the following location.

https://github.com/honojs/node-server/compare/main...usualoma:node-server:refactor-serve-static?expand=1#diff-85001ab5aae1b04893fe64f90842d5e368e62920e6655ccc1792aa4dff852794R73-R80

I don't think any invalid strings will be entered here.

https://github.com/honojs/node-server/compare/main...usualoma:node-server:refactor-serve-static?expand=1#diff-85001ab5aae1b04893fe64f90842d5e368e62920e6655ccc1792aa4dff852794L102-L106

Stop calling resolve()

If security checks have been completed, I don't think it's necessary to call resolve() in serveStatic().

@usualoma
Copy link
Member Author

Hi @yusukebe
I would like to make this adjustment. What do you think?

yusukebe
yusukebe approved these changes Jul 20, 2025
View reviewed changes
Copy link
Member

@yusukebe yusukebe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@yusukebe yusukebe changed the title improve serve-static function fix: improve serve-static function Jul 20, 2025
@yusukebe
Copy link
Member

@usualoma

Since the only untrusted string is c.req.path

Makes sense. We must consider only the case of c.req.path.

The code is cleaner and shorter. Looks good! Thank you.

@yusukebe yusukebe merged commit 745dd0d into honojs:main Jul 20, 2025
4 checks passed
@yusukebe yusukebe mentioned this pull request Jul 23, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yusukebe yusukebe yusukebe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@usualoma @yusukebe