Keryx Static File Server Lacks Critical Path Traversal Security Tests, Risking CVE-Class Vulnerabilities

A critical security gap has been identified in the Keryx framework's static file server: there are no automated tests to verify it blocks standard path-traversal attacks. This omission leaves the server vulnerable to a well-known class of web security flaws where attackers could potentially access sensitive system files like `/etc/passwd` by manipulating URL paths. The absence of these tests means regressions could be introduced silently, creating exploitable conditions that would likely qualify for a CVE (Common Vulnerabilities and Exposures) designation.

The test suite, located in `packages/keryx/__tests__/util/webStaticFiles.test.ts`, must be expanded to validate rejection of multiple attack vectors. This includes basic sequences like `../../etc/passwd`, URL-encoded variants (`%2e%2e%2f`), double-encoded payloads, absolute paths, and attempts to follow symbolic links that point outside the designated static file root directory. Each of these represents a distinct method attackers use to bypass directory restrictions and read unauthorized files.

Given the severity, this issue is marked as a high-priority security task. The lack of validation for such fundamental security controls is a significant oversight in a core utility package. Without these tests, any future code change to the static file server could inadvertently re-introduce a path traversal vulnerability, posing a direct risk to any application relying on Keryx for static asset serving. The fix is a preventative measure essential for maintaining the integrity and security posture of the framework.