Reject URLs where the path starts with triple slash (#54057)

src/shielding/middleware/handle-invalid-paths.ts

@@ -7,6 +7,7 @@ import { ExtendedRequest } from '@/types'
 // one of these.
 // These are clearly intentional "guesses" made by some sort of
 // pen-testing bot.
+const JUNK_STARTS = ['///']
 const JUNK_ENDS = [
   '/package.json',
   '/package-lock.json',
@@ -37,6 +38,12 @@ const JUNK_BASENAMES = new Set([
 function isJunkPath(path: string) {
   if (JUNK_PATHS.has(path)) return true
 
+  for (const junkPath of JUNK_STARTS) {
+    if (path.startsWith(junkPath)) {
+      return true
+    }
+  }
+
   for (const junkPath of JUNK_ENDS) {
     if (path.endsWith(junkPath)) {
       return true