fix(mount): normalize percent-encoded pathname in requestWithBaseURL

Author: pi0

src/event.ts

@@ -2,6 +2,7 @@ import type { ServerRequest, ServerRuntimeContext } from "srvx";
 import type { H3EventContext } from "./types/context.ts";
 
 import { EmptyObject } from "./utils/internal/obj.ts";
+import { decodePathname } from "./utils/internal/path.ts";
 import { FastURL } from "srvx";
 import type { EventHandlerRequest, TypedServerRequest } from "./types/handler.ts";
 import type { H3Core } from "./h3.ts";
@@ -64,11 +65,8 @@ export class H3Event<
  const _url = (req as { _url?: URL })._url;
  const url = _url && _url instanceof URL ? _url : new FastURL(req.url);
  // Normalize percent-encoded pathname to prevent middleware bypass
- // Preserve %25 (encoded %) to avoid unintended double-decoding
  if (url.pathname.includes("%")) {
- url.pathname = decodeURI(
- url.pathname.includes("%25") ? url.pathname.replace(/%25/g, "%2525") : url.pathname,
- );
+ url.pathname = decodePathname(url.pathname);
  }
  this.url = url;
  }

src/utils/internal/path.ts

@@ -52,6 +52,15 @@ export function getPathname(path: string = "/"): string {
  * Resolve dot segments (`.` and `..`) in a path to prevent path traversal.
  * Ensures the resulting path never escapes above the root `/`.
  */
+/**
+ * Decode percent-encoded pathname, preserving %25 (literal `%`).
+ */
+export function decodePathname(pathname: string): string {
+ return decodeURI(
+ pathname.includes("%25") ? pathname.replace(/%25/g, "%2525") : pathname,
+ );
+}
+
 export function resolveDotSegments(path: string): string {
  if (!path.includes(".")) {
  return path;

src/utils/request.ts

@@ -1,4 +1,5 @@
 import { type ErrorDetails, HTTPError } from "../error.ts";
+import { decodePathname } from "./internal/path.ts";
 import { parseQuery } from "./internal/query.ts";
 import { validateData } from "./internal/validate.ts";
 import { getEventContext } from "./event.ts";
@@ -33,7 +34,7 @@ export function requestWithURL(req: ServerRequest, url: string): ServerRequest {
  */
 export function requestWithBaseURL(req: ServerRequest, base: string): ServerRequest {
  const url = new URL(req.url);
- url.pathname = url.pathname.slice(base.length) || "/";
+ url.pathname = decodePathname(url.pathname).slice(base.length) || "/";
  return requestWithURL(req, url.href);
 }
 

test/mount.test.ts

@@ -10,6 +10,24 @@ describeMatrix("mount", (t, { it, expect, describe }) => {
  expect(await t.fetch("/test/123").then((r) => r.text())).toBe("/123");
  });
 
+ it("normalizes percent-encoded base path", async () => {
+ t.app.mount("/api", async (req) => {
+ const url = new URL(req.url);
+ if (url.pathname.startsWith("/admin")) {
+ return new Response("Forbidden", { status: 403 });
+ }
+ return new Response(`OK: ${url.pathname}`);
+ });
+
+ // Normal request should be blocked
+ const res1 = await t.fetch("/api/admin");
+ expect(res1.status).toBe(403);
+
+ // Percent-encoded base path should still be blocked
+ const res2 = await t.fetch("/%61pi/admin");
+ expect(res2.status).toBe(403);
+ });
+
  it("works with compat object", async () => {
  t.app.mount("/test", {
  fetch: (req: Request) => new Response(new URL(req.url).pathname),