fix(static): prevent backslash-based path traversal in resolveDotSegments

normalize `\` to `/` before resolving dot segments to block traversal via
`/..\\etc\\passwd` and `/%5c` encoded variants. adds test coverage for
blocked traversal paths and allowed dot-containing filenames.

Author: pi0

src/utils/internal/path.ts

@@ -56,7 +56,8 @@ export function resolveDotSegments(path: string): string {
   if (!path.includes(".")) {
     return path;
   }
-  const segments = path.split("/");
+  // Normalize backslashes to forward slashes to prevent traversal via `\`
+  const segments = path.replaceAll("\\", "/").split("/");
   const resolved: string[] = [];
   for (const segment of segments) {
     if (segment === "..") {

standard-context

@@ -0,0 +1 @@
+Subproject commit 1db9a051ce1c2014a6ca5d0d2f3e569f9f4b05cc

test/static.test.ts

@@ -111,6 +111,40 @@ describeMatrix("serve static", (t, { it, expect }) => {
     expect(text).not.toContain("..");
     expect(text).toMatch(/^asset:\/etc\/passwd/);
   });
+
+  it("blocks path traversal attempts", async () => {
+    const blocked = [
+      "/../etc/passwd",
+      "/%2e%2e/",
+      "/%2E%2E/",
+      "/assets/../../etc/passwd",
+      "/assets/..",
+      "/..\\etc\\passwd",
+      "/..%5c..%5cetc%5cpasswd",
+      "/..",
+    ];
+    for (const path of blocked) {
+      const res = await t.fetch(path);
+      const text = await res.text();
+      expect(text).not.toContain("..");
+    }
+  });
+
+  it("allows legitimate paths with dots", async () => {
+    const allowed = [
+      "/_...grid_123.js",
+      "/file..name.js",
+      "/.hidden",
+      "/assets/file.txt",
+      "/...test/file.js",
+    ];
+    for (const path of allowed) {
+      const res = await t.fetch(path);
+      expect(res.status).toEqual(200);
+      const text = await res.text();
+      expect(text).toContain("asset:");
+    }
+  });
 });
 
 describeMatrix("serve static with fallthrough", (t, { it, expect }) => {