fix relative percent decoding in file middleware (#2500)

Sources/Vapor/Middleware/FileMiddleware.swift

@@ -13,8 +13,10 @@ public final class FileMiddleware: Middleware {
 
     /// See `Middleware`.
     public func respond(to request: Request, chainingTo next: Responder) -> EventLoopFuture<Response> {
-        // make a copy of the path
-        var path = request.url.path
+        // make a copy of the percent-decoded path
+        guard var path = request.url.path.removingPercentEncoding else {
+            return request.eventLoop.makeFailedFuture(Abort(.badRequest))
+        }
 
         // path must be relative.
         while path.hasPrefix("/") {
@@ -27,7 +29,7 @@ public final class FileMiddleware: Middleware {
         }
 
         // create absolute file path
-        let filePath = self.publicDirectory + (path.removingPercentEncoding ?? path)
+        let filePath = self.publicDirectory + path
 
         // check if file exists and is not a directory
         var isDir: ObjCBool = false

Tests/VaporTests/FileTests.swift

@@ -61,4 +61,19 @@ final class FileTests: XCTestCase {
             XCTAssertEqual(res.body.string, "<h1>Hello</h1>\n")
         }
     }
+
+    func testPercentDecodedRelativePath() throws {
+        let app = Application(.testing)
+        defer { app.shutdown() }
+
+        let path = #file.split(separator: "/").dropLast().joined(separator: "/")
+        app.middleware.use(FileMiddleware(publicDirectory: "/" + path))
+
+        try app.test(.GET, "%2e%2e/VaporTests/Utilities/foo.txt") { res in
+            XCTAssertEqual(res.status, .forbidden)
+        }.test(.GET, "Utilities/foo.txt") { res in
+            XCTAssertEqual(res.status, .ok)
+            XCTAssertEqual(res.body.string, "bar\n")
+        }
+    }
 }

Tests/VaporTests/Utilities/foo.txt

@@ -0,0 +1 @@
+bar