From 9bce51f651aad297ef9eb6df832bfdaf1de05d84 Mon Sep 17 00:00:00 2001
From: WXL <wl_5969728@163.com>
Date: 星期三, 22 四月 2026 14:27:54 +0800
Subject: [PATCH] 青岛推送

---
 node_modules/@types/node/url.d.ts |   31 ++++++++++++++++++++++---------
 1 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/node_modules/@types/node/url.d.ts b/node_modules/@types/node/url.d.ts
index 6f5b885..8803a03 100644
--- a/node_modules/@types/node/url.d.ts
+++ b/node_modules/@types/node/url.d.ts
@@ -1,12 +1,3 @@
-/**
- * The `node:url` module provides utilities for URL resolution and parsing. It can
- * be accessed using:
- *
- * ```js
- * import url from 'node:url';
- * ```
- * @see [source](https://github.com/nodejs/node/blob/v25.x/lib/url.js)
- */
 declare module "node:url" {
     import { Blob, NonSharedBuffer } from "node:buffer";
     import { ClientRequestArgs } from "node:http";
@@ -334,6 +325,19 @@
      * new URL('file:///hello world').pathname;   // Incorrect: /hello%20world
      * fileURLToPath('file:///hello world');      // Correct:   /hello world (POSIX)
      * ```
+     *
+     * **Security Considerations:**
+     *
+     * This function decodes percent-encoded characters, including encoded dot-segments
+     * (`%2e` as `.` and `%2e%2e` as `..`), and then normalizes the resulting path.
+     * This means that encoded directory traversal sequences (such as `%2e%2e`) are
+     * decoded and processed as actual path traversal, even though encoded slashes
+     * (`%2F`, `%5C`) are correctly rejected.
+     *
+     * **Applications must not rely on `fileURLToPath()` alone to prevent directory
+     * traversal attacks.** Always perform explicit path validation and security checks
+     * on the returned path value to ensure it remains within expected boundaries
+     * before using it for file system operations.
      * @since v10.12.0
      * @param url The file URL string or URL object to convert to a path.
      * @return The fully-resolved platform-specific Node.js file path.
@@ -344,6 +348,15 @@
      * representation of the path, a `Buffer` is returned. This conversion is
      * helpful when the input URL contains percent-encoded segments that are
      * not valid UTF-8 / Unicode sequences.
+     *
+     * **Security Considerations:**
+     *
+     * This function has the same security considerations as `url.fileURLToPath()`.
+     * It decodes percent-encoded characters, including encoded dot-segments
+     * (`%2e` as `.` and `%2e%2e` as `..`), and normalizes the path. **Applications
+     * must not rely on this function alone to prevent directory traversal attacks.**
+     * Always perform explicit path validation on the returned buffer value before
+     * using it for file system operations.
      * @since v24.3.0
      * @param url The file URL string or URL object to convert to a path.
      * @returns The fully-resolved platform-specific Node.js file path

--
Gitblit v1.9.3