arlecchino

https://github.com/restify/node-restify/blob/839fb4a2b5e5434d43e60e1abb936e153c659c31/test/server.test.js#L461-L469 ???

See https://github.com/restify/node-restify/issues/1910

https://github.com/restify/node-restify/blob/839fb4a2b5e5434d43e60e1abb936e153c659c31/lib/plugins/static.js#L169-L184 Because of the `decodeURIComponent()` the traversal might also be possible with `appendRequestPath: false`: `%2F..%2Fapp.js` There should be a check if file is below opts.directory.

The check is there: https://github.com/restify/node-restify/blob/839fb4a2b5e5434d43e60e1abb936e153c659c31/lib/plugins/static.js#L92-L93 https://github.com/restify/node-restify/blob/839fb4a2b5e5434d43e60e1abb936e153c659c31/lib/plugins/static.js#L194-L197 But the normalization of `file` got _lost_ by these changes of @ap0 https://github.com/restify/node-restify/commit/9f84a8542d6d502ef3e094c0b321173c13780094

Seems to be also a problem with the check... https://github.com/restify/node-restify/pull/1692 And the correct error for this case would be not `NotAuthorizedError` but `ForbiddenError`.

And the check could be done faster without RE-matching -> string startsWith().

Where is the attack vector?

See https://github.com/restify/node-restify/issues/1910

The correct error for this would be `ForbiddenError`!

It is on server side... Webframework Rocket uses hyper as its base... Here https://github.com/SergioBenitez/Rocket/blob/8cae077ba1d54b92cdef3e171a730b819d5eeb8e/core/lib/src/server.rs#L459-L465 the [`service_fn`](https://github.com/SergioBenitez/Rocket/blob/8cae077ba1d54b92cdef3e171a730b819d5eeb8e/core/lib/src/server.rs#L463) is called on an invalid URI with HTTP/2 while hyper aborts this with HTTP/1.1...