Named path parameters can be overridden in TrieRouter

Impact The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. The code to reproduce it. The server side application: “`ts import { Hono } from 'hono' import { TrieRouter } from 'hono/router/trie-router' const wait = async (ms: number) => { return new Promise((resolve) => { setTimeout(resolve, ms) }) } const app = new Hono({ router: new TrieRouter() }) app.use('*', async (c, next) => { await wait(Math.random() * 200) return next() }) app.get('/modules/:id/versions/:version', async (c) => { const id = c.req.param('id') const version = c.req.param('version') console.log('path', c.req.path) console.log('version', version) return c.json({ id, version, }) }) export default app “` The client code which makes requests to the server application: “`ts const examples = [ 'https://localhost:8787/modules/first/versions/first', 'https://localhost:8787/modules/second/versions/second', 'https://localhost:8787/modules/third/versions/third', ] const test = () => { for (const example of examples) { fetch(example) .then((response) => response.json()) .then((data) => { const splitted = example.split('/') const expected =…Read More