From 65f2a3be93c7500c186d3261c30c3824ab845697 Mon Sep 17 00:00:00 2001 From: oussamasf <59108871+oussamasf@users.noreply.github.com> Date: Fri, 8 Nov 2024 02:06:53 +0100 Subject: [PATCH] fix(serveStatic): add guard to prevent reading empty folders (#3639) Fixes #3628 * fix(serveStatic): add guard to prevent reading empty folders * fix(serveStatic): remove unnecessary Deno.stat * test(serveStatic): add test cases related to isDir guard --- runtime-tests/deno/middleware.test.tsx | 16 ++++++++++++++++ src/adapter/deno/serve-static.ts | 5 +++++ 2 files changed, 21 insertions(+) diff --git a/runtime-tests/deno/middleware.test.tsx b/runtime-tests/deno/middleware.test.tsx index 1ad4569f5..9ca6f9bf4 100644 --- a/runtime-tests/deno/middleware.test.tsx +++ b/runtime-tests/deno/middleware.test.tsx @@ -139,6 +139,22 @@ Deno.test('Serve Static middleware', async () => { res = await app.request('http://localhost/static-absolute-root/plain.txt') assertEquals(res.status, 200) assertEquals(await res.text(), 'Deno!') + + res = await app.request('http://localhost/static') + assertEquals(res.status, 404) + assertEquals(await res.text(), '404 Not Found') + + res = await app.request('http://localhost/static/dir') + assertEquals(res.status, 404) + assertEquals(await res.text(), '404 Not Found') + + res = await app.request('http://localhost/static/helloworld/nested') + assertEquals(res.status, 404) + assertEquals(await res.text(), '404 Not Found') + + res = await app.request('http://localhost/static/helloworld/../') + assertEquals(res.status, 404) + assertEquals(await res.text(), '404 Not Found') }) Deno.test('JWT Authentication middleware', async () => { diff --git a/src/adapter/deno/serve-static.ts b/src/adapter/deno/serve-static.ts index 0e28424d9..867f6f9ea 100644 --- a/src/adapter/deno/serve-static.ts +++ b/src/adapter/deno/serve-static.ts @@ -10,6 +10,10 @@ export const serveStatic = ( return async function serveStatic(c, next) { const getContent = async (path: string) => { try { + if (isDir(path)) { + return null + } + const file = await open(path) return file.readable } catch (e) { @@ -30,6 +34,7 @@ export const serveStatic = ( } catch {} return isDir } + return baseServeStatic({ ...options, getContent,