Deny requests with path navigation segments (#808)

Author: Kaliumhexacyanoferrat

Engine/Internal/Protocol/Parser/RequestSecurity.cs

@@ -14,6 +14,16 @@ public static void Validate(Request request)
         {
             throw new ProtocolException("Multiple 'Host' headers specified");
         }
+
+        var target = request.Target.Path.Parts;
+
+        for (var i = 0; i < target.Count; i++)
+        {
+            if (target[i].Value == "." || target[i].Value == "..")
+            {
+                throw new ProtocolException("Segments '.' or '..' are now allowed in path");
+            }
+        }
     }
 
 }

Testing/Acceptance/Engine/Internal/Security/PathSegmentTests.cs

@@ -0,0 +1,31 @@
+namespace GenHTTP.Testing.Acceptance.Engine.Internal.Security;
+
+[TestClass]
+public class PathSegmentTests : WireTest
+{
+
+    [TestMethod]
+    public async Task TestUp()
+    {
+        var request = new []
+        {
+            "GET /../ HTTP/1.1",
+            "Host: host"
+        };
+
+        await TestAsync(request, "Segments '.' or '..' are now allowed in path");
+    }
+
+    [TestMethod]
+    public async Task TestEncoded()
+    {
+        var request = new []
+        {
+            "GET /%2E/ HTTP/1.1",
+            "Host: host"
+        };
+
+        await TestAsync(request, "Segments '.' or '..' are now allowed in path");
+    }
+
+}