fix(mount): enforce path segment boundary in startsWith check

pi0 · pi0 · commit 7ccc9e250164 · 2026-03-19T21:30:08.000+01:00
Prevent mounted middleware from executing on unrelated routes that
share a string prefix (e.g., `/admin-public` matching `/admin` mount).
diff --git a/src/h3.ts b/src/h3.ts
@@ -124,7 +124,10 @@ export const H3 = /* @__PURE__ */ (() => {
         if (input["~middleware"].length > 0) {
           this["~middleware"].push((event, next) => {
             const originalPathname = event.url.pathname;
-            if (!originalPathname.startsWith(base)) {
+            if (
+              !originalPathname.startsWith(base) ||
+              (originalPathname.length > base.length && originalPathname[base.length] !== "/")
+            ) {
               return next();
             }
             event.url.pathname = event.url.pathname.slice(base.length) || "/";
diff --git a/src/utils/internal/path.ts b/src/utils/internal/path.ts
@@ -37,7 +37,7 @@ export function withoutBase(input: string = "", base: string = ""): string {
     return input;
   }
   const _base = withoutTrailingSlash(base);
-  if (!input.startsWith(_base)) {
+  if (!input.startsWith(_base) || (input.length > _base.length && input[_base.length] !== "/")) {
     return input;
   }
   const trimmed = input.slice(_base.length);
diff --git a/test/mount.test.ts b/test/mount.test.ts
@@ -197,5 +197,29 @@ describeMatrix("mount", (t, { it, expect, describe }) => {
 
       expect(logs).toHaveLength(0); // Middleware should not execute
     });
+
+    it("mounted middleware should not execute for prefix-matching paths without segment boundary", async () => {
+      const adminApp = new H3();
+      adminApp.use((event, next) => {
+        event.context.isAdmin = true;
+        return next();
+      });
+      adminApp.get("/dashboard", () => ({ admin: true }));
+
+      t.app.mount("/admin", adminApp);
+      t.app.get("/admin-public/info", (event) => ({
+        path: event.url.pathname,
+        isAdmin: event.context.isAdmin ?? false,
+      }));
+
+      // /admin/dashboard should trigger admin middleware
+      const adminRes = await t.fetch("/admin/dashboard");
+      expect(adminRes.status).toBe(200);
+
+      // /admin-public/info should NOT trigger admin middleware
+      const publicRes = await t.fetch("/admin-public/info");
+      const body = await publicRes.json();
+      expect(body.isAdmin).toBe(false);
+    });
   });
 });

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ export function withoutBase(input: string = "", base: string = ""): string {`
`37`	`37`	`return input;`
`38`	`38`	`}`
`39`	`39`	`const _base = withoutTrailingSlash(base);`
`40`		`- if (!input.startsWith(_base)) {`
	`40`	`+ if (!input.startsWith(_base) \|\| (input.length > _base.length && input[_base.length] !== "/")) {`
`41`	`41`	`return input;`
`42`	`42`	`}`
`43`	`43`	`const trimmed = input.slice(_base.length);`