1-click DOS in fastify-static via directly passing user's input to new URL() of NodeJS without try/catch

## Summary: When fastify-static is mounted at root and registered the option `{ redirect: true }` (default of redirect option is `false`), the following line directly feed user's input which is `req.raw.url` to URL API without try/catch: https://github.com/fastify/fastify-static/blob/master/index.js#L439. A remote attacker can send a GET request to server with path = `//^/..`, this will cause the URL API to throw error and eventually crash the server. ## Steps To Reproduce: 1. Download `fastify-dos.zip` 2. bash run.sh 3. Open your terminal and run: `curl --path-as-is "http://localhost:3000//^/.."` After that the server will crash and return error `TypeError [ERR_INVALID_URL]: Invalid URL: //^/..`. ## Fix proposal You can add a try/catch to prevent crash. However, if you only fix by adding try/catch, attacker can still cause open redirect. 1. Run the server in my `fastify-dos.zip` again 2. Use Google Chrome and navigate to `http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e` (I tested on Chrome, Firefox, Safari, Opera, Edge, worked on all of them) 3. You will see that you get redirected to `https://www.youtube.com/..%2F..` I like the idea of fixing open redirect by having a base URL = `http://localhost.com/` as second parameter in https://github.com/fastify/fastify-static/blob/master/index.js#L439. However, I looked up on MDN spec about the URL API and I got surprised when I saw the last example at: https://developer.mozilla.org/en-US/docs/Web/API/URL/URL#examples, which is `new URL("//foo.com", "https://example.com") // => 'https://foo.com' (see relative URLs)`, this is the main reason why the open redirect bug is still persist. To fix this bug, I think we can check leading slash of `req.raw.url`, and allow at most 1 leading slash `/` before attempt to redirect. ## Impact - Denial of service - Open redirect