Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.x.x

Plugin version

x.x.x

Node.js version

20.x

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

22.04

Description

Hi,
when using a http client that parses the URL with the whatwg URL class ../ and ./ is evaluated as described in the whatwg standard:
https://url.spec.whatwg.org/#url-representation

A single-dot URL path segment is a URL path segment that is "." or an ASCII case-insensitive match for "%2e".
A double-dot URL path segment is a URL path segment that is ".." or an ASCII case-insensitive match for ".%2e", "%2e.", or "%2e%2e".

If buffer is a double-dot URL path segment, then Shorten url’s path.

What this has to do with fastify?
If a requests hits fastify ../ and ./ are not evaluated, all the routing is done with the original path.
If you then forward the call to another service using request.raw.url with a http client that uses the whatwg url class, a path traversal attack is possible.
So a completly other path can be called on the target service.

Steps to Reproduce

I have prepared a sample application.
https://github.com/stefanbeigel/whatwg-fastify-path-traversal/blob/main/index.mjs
Call the app with curl --path-as-is localhost:3000/abc/../foobar

Expected Behavior

Maybe fastify could parse the incoming url with a whatwg compliant url parser and resolve ../ and ./ before the handler matching is done and also put the parsed url into request.raw.url