fix(event): normalize percent-encoded URL pathname to prevent middleware bypass

Decode percent-encoded pathnames in H3Event constructor so route
matching and middleware guards see the same resolved path, preventing
auth bypass via encoded segments like /api/%61dmin/users.

Author: pi0

src/event.ts

@@ -59,7 +59,12 @@ export class H3Event<
     this.app = app;
     // Parsed URL can be provided by srvx (node) and other runtimes
     const _url = (req as { _url?: URL })._url;
-    this.url = _url && _url instanceof URL ? _url : new FastURL(req.url);
+    const url = _url && _url instanceof URL ? _url : new FastURL(req.url);
+    // Normalize percent-encoded pathname to prevent middleware bypass
+    if (url.pathname.includes("%")) {
+      url.pathname = decodeURI(url.pathname);
+    }
+    this.url = url;
   }
 
   /**

test/bench/bundle.test.ts

@@ -34,8 +34,8 @@ describe("benchmark", () => {
     if (process.env.DEBUG) {
       console.log(`Bundle size (H3Core): ${bundle.bytes} (gzip: ${bundle.gzipSize})`);
     }
-    expect(bundle.bytes).toBeLessThanOrEqual(6200); // <6.2kb
-    expect(bundle.gzipSize).toBeLessThanOrEqual(2500); // <2.5kb
+    expect(bundle.bytes).toBeLessThanOrEqual(6300); // <6.3kb
+    expect(bundle.gzipSize).toBeLessThanOrEqual(2600); // <2.6kb
   });
 
   it("bundle size (defineHandler)", async () => {

test/security.test.ts

@@ -0,0 +1,90 @@
+import { beforeEach } from "vitest";
+import { describeMatrix } from "./_setup.ts";
+
+describeMatrix("security: path encoding bypass", (ctx, { it, expect }) => {
+  beforeEach(() => {
+    ctx.app.use("/api/admin/**", (_event, next) => {
+      const token = _event.req.headers.get("authorization");
+      if (token !== "Bearer admin-secret-token") {
+        _event.res.status = 403;
+        return "Forbidden";
+      }
+      return next();
+    });
+
+    ctx.app.get("/api/admin/:action", (event) => {
+      return { admin: true, action: event.context.params?.action };
+    });
+
+    ctx.app.get("/api/public", () => {
+      return { public: true };
+    });
+  });
+
+  it("blocks unauthenticated access to /api/admin/users", async () => {
+    const res = await ctx.fetch("/api/admin/users");
+    expect(res.status).toBe(403);
+  });
+
+  it("allows authenticated access to /api/admin/users", async () => {
+    const res = await ctx.fetch("/api/admin/users", {
+      headers: { Authorization: "Bearer admin-secret-token" },
+    });
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ admin: true, action: "users" });
+  });
+
+  it("allows access to public endpoint", async () => {
+    const res = await ctx.fetch("/api/public");
+    expect(res.status).toBe(200);
+  });
+
+  it("should NOT bypass auth via percent-encoded path /api/%61dmin/users", async () => {
+    const res = await ctx.fetch("/api/%61dmin/users");
+    expect(res.status).not.toBe(200);
+  });
+
+  it("should NOT bypass auth via /api/admi%6e/users", async () => {
+    const res = await ctx.fetch("/api/admi%6e/users");
+    expect(res.status).not.toBe(200);
+  });
+
+  it("should NOT bypass auth via /%61pi/admin/users", async () => {
+    const res = await ctx.fetch("/%61pi/admin/users");
+    expect(res.status).not.toBe(200);
+  });
+
+  it("should NOT bypass auth via double encoding", async () => {
+    const res = await ctx.fetch("/api/%2561dmin/users");
+    expect(res.status).not.toBe(200);
+  });
+});
+
+describeMatrix("security: path encoding bypass with wildcard routes", (ctx, { it, expect }) => {
+  beforeEach(() => {
+    ctx.app.use("/api/admin/**", (_event, next) => {
+      const token = _event.req.headers.get("authorization");
+      if (token !== "Bearer admin-secret-token") {
+        _event.res.status = 403;
+        return "Forbidden";
+      }
+      return next();
+    });
+
+    ctx.app.all("/api/**", (event) => {
+      return { path: event.url.pathname };
+    });
+  });
+
+  it("blocks /api/admin/users without auth", async () => {
+    const res = await ctx.fetch("/api/admin/users");
+    expect(res.status).toBe(403);
+  });
+
+  // Known issue: wildcard routes match encoded paths that bypass middleware pathname checks
+  // The middleware sees "%61dmin" (raw) while the wildcard catches everything under /api/**
+  it("should NOT bypass auth with wildcard via /api/%61dmin/users", async () => {
+    const res = await ctx.fetch("/api/%61dmin/users");
+    expect(res.status).not.toBe(200);
+  });
+});