fix(serveStatic): add guard to prevent reading empty folders (#3639)

Fixes #3628 * fix(serveStatic): add guard to prevent reading empty folders * fix(serveStatic): remove unnecessary Deno.stat * test(serveStatic): add test cases related to isDir guard
2024-12-01 11:51:01 +01:00 · 2024-11-08 02:06:53 +01:00 · 2024-11-08 02:06:53 +01:00 · 65f2a3be93
commit 65f2a3be93
parent a6ccfa29ca
2 changed files with 21 additions and 0 deletions
--- a/runtime-tests/deno/middleware.test.tsx
+++ b/runtime-tests/deno/middleware.test.tsx
@ -139,6 +139,22 @@ Deno.test('Serve Static middleware', async () => {
  res = await app.request('http://localhost/static-absolute-root/plain.txt')
  assertEquals(res.status, 200)
  assertEquals(await res.text(), 'Deno!')
+
+  res = await app.request('http://localhost/static')
+  assertEquals(res.status, 404)
+  assertEquals(await res.text(), '404 Not Found')
+
+  res = await app.request('http://localhost/static/dir')
+  assertEquals(res.status, 404)
+  assertEquals(await res.text(), '404 Not Found')
+
+  res = await app.request('http://localhost/static/helloworld/nested')
+  assertEquals(res.status, 404)
+  assertEquals(await res.text(), '404 Not Found')
+
+  res = await app.request('http://localhost/static/helloworld/../')
+  assertEquals(res.status, 404)
+  assertEquals(await res.text(), '404 Not Found')
 })

 Deno.test('JWT Authentication middleware', async () => {
--- a/src/adapter/deno/serve-static.ts
+++ b/src/adapter/deno/serve-static.ts
@ -10,6 +10,10 @@ export const serveStatic = <E extends Env = Env>(
  return async function serveStatic(c, next) {
    const getContent = async (path: string) => {
      try {
+        if (isDir(path)) {
+          return null
+        }
+
        const file = await open(path)
        return file.readable
      } catch (e) {
@ -30,6 +34,7 @@ export const serveStatic = <E extends Env = Env>(
      } catch {}
      return isDir
    }
+
    return baseServeStatic({
      ...options,
      getContent,