Check for path traversal after URL decoding

containsPathTraversal only checked literal ".." segments separated by
forward slashes. Encoded forms like %2e%2e%2f or backslash separators
would slip past if a caller ever passed a raw or Windows-style path.

The check now URL-decodes the input and treats backslashes as
separators before splitting. Go's stdlib already decodes r.URL.Path so
the encoded case is mostly belt-and-braces for cache keys and other
non-router inputs, but the storage layer guard from #106 makes this
worth locking in with tests.

Fixes #74

internal/handler/handler.go

@@ -24,9 +24,21 @@ import (
 )
 
 // containsPathTraversal returns true if the path contains ".." segments
-// that could be used to escape the intended directory.
+// that could be used to escape the intended directory. It checks the path
+// as given and after URL-decoding, and treats backslashes as separators.
 func containsPathTraversal(path string) bool {
-	for _, segment := range strings.Split(path, "/") {
+	if hasDotDotSegment(path) {
+		return true
+	}
+	if decoded, err := url.PathUnescape(path); err == nil && decoded != path {
+		return hasDotDotSegment(decoded)
+	}
+	return false
+}
+
+func hasDotDotSegment(path string) bool {
+	path = strings.ReplaceAll(path, "\\", "/")
+	for segment := range strings.SplitSeq(path, "/") {
 		if segment == ".." {
 			return true
 		}

internal/handler/path_traversal_test.go

@@ -14,6 +14,15 @@ func TestContainsPathTraversal(t *testing.T) {
 		{"pool/main/../../../etc/shadow", true},
 		{"pool/..hidden/file", false}, // ".." as a segment, not "..hidden"
 		{"", false},
+		{"%2e%2e/etc/passwd", true},
+		{"%2e%2e%2fetc%2fpasswd", true},
+		{"pool/%2e%2e/%2e%2e/etc/shadow", true},
+		{"%2E%2E%2Fetc", true},
+		{`..\\etc\\passwd`, true},
+		{`pool\\..\\..\\etc`, true},
+		{"%2e%2e%5cetc%5cpasswd", true},
+		{"pool/%2e%2ehidden/file", false},
+		{"pool/%zz/bad-encoding", false},
 	}
 
 	for _, tt := range tests {