fix(route-rules): reject out-of-scope redirect requests

Mirrors the scope check added for proxy rules. An encoded traversal like
`..%2f` bypasses the `/**` scope at match time but can escape the base
once the redirect target decodes `%2f` → `/`, letting a victim's
browser reach a sibling scope on the redirect host.

Author: pi0

src/runtime/internal/route-rules.ts

@@ -29,6 +29,9 @@ export const redirect: RouteRuleCtor<"redirect"> = ((m) =>
       let targetPath = event.url.pathname + event.url.search;
       const strpBase = (m.options as any)._redirectStripBase;
       if (strpBase) {
+        if (!isPathInScope(event.url.pathname, strpBase)) {
+          throw new HTTPError({ status: 400, message: "Invalid request path" });
+        }
         targetPath = withoutBase(targetPath, strpBase);
       }
       target = joinURL(target.slice(0, -3), targetPath);
@@ -103,7 +106,8 @@ export const basicAuth: RouteRuleCtor<"auth"> = /* @__PURE__ */ Object.assign(
 // Check whether `pathname`, after canonicalization, stays within `base`.
 // Prevents match/forward differentials where an encoded traversal like `..%2f`
 // bypasses the `/**` scope at match time but escapes the base once the
-// upstream decodes `%2f` → `/` (GHSA-5w89-w975-hf9q).
+// downstream (proxy upstream or redirect target) decodes `%2f` → `/`
+// (GHSA-5w89-w975-hf9q).
 //
 // WHATWG URL keeps `%2F` and `%5C` opaque in paths, so we pre-decode those,
 // then let `new URL` resolve `.`/`..`/`%2E%2E` segments and normalize `\`.

test/unit/route-rules.test.ts

@@ -32,7 +32,8 @@ describe("normalizeRouteRules - swr", () => {
 });
 
 // Regression for GHSA-5w89-w975-hf9q: an encoded traversal like `..%2f` must
-// not let a request escape a `/**` proxy scope once the upstream decodes it.
+// not let a request escape a `/**` proxy/redirect scope once the downstream
+// decodes it.
 describe("isPathInScope", () => {
   it("accepts in-scope paths", () => {
     expect(isPathInScope("/api/orders/list.json", "/api/orders")).toBe(true);