Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Description
        Published to the GitHub Advisory Database
      Apr 23, 2024 
    
  
        Reviewed
      Apr 23, 2024 
    
  
        Published by the National Vulnerability Database
      Apr 23, 2024 
    
  
        Last updated
      Apr 24, 2024 
    
  
Summary
When using serveStatic with deno, it is possible to directory traverse where main.ts is located.
My environment is configured as per this tutorial
https://hono.dev/getting-started/deno
PoC
$ tree . ├── deno.json ├── deno.lock ├── main.ts ├── README.md └── static └── a.txtsource
request
response is content of main.ts
Impact
Unexpected files are retrieved.
References