fix(static): use path.Clean for fs.FS resolution to block Windows backslash bypass

CI on windows-latest caught that StaticDirectoryHandler resolved the static file
name with filepath.Clean + filepath.ToSlash, which is OS-specific. An encoded
backslash (%5C) decodes to a literal '\' that the router does not treat as a
separator (it matches on the raw/canonical path), but on Windows filepath.Clean
then interprets '\' as a path separator and resolves a file across a boundary the
route never authorized -- serving /admin%5Csecret.txt as admin/secret.txt (the
GHSA-pgvm-wxw2-hrv9 Windows backslash traversal class). On Linux '\' stays literal,
which is why local tests passed.

fs.FS paths are always forward-slash, so use path.Clean (OS-independent), matching
what middleware/static.go already does. The HasEncodedPathSeparator guard still
covers the %2F case where the param stays percent-encoded.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: vishr

echo.go

@@ -53,6 +53,7 @@ import (
 	"net/url"
 	"os"
 	"os/signal"
+	"path"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -606,8 +607,11 @@ func StaticDirectoryHandler(fileSystem fs.FS, disablePathUnescaping bool) Handle
 			p = tmpPath
 		}
 
-		// fs.FS.Open() already assumes that file names are relative to FS root path and considers name with prefix `/` as invalid
-		name := filepath.ToSlash(filepath.Clean(strings.TrimPrefix(p, "/")))
+		// fs.FS.Open() already assumes that file names are relative to FS root path and considers name with prefix `/` as invalid.
+		// Use path.Clean (not filepath.Clean): fs.FS paths are always forward-slash, so a backslash must stay a literal
+		// character rather than being interpreted as a separator on Windows (which would resolve a file across a boundary
+		// the router never matched on, the same Windows backslash traversal class as GHSA-pgvm-wxw2-hrv9).
+		name := path.Clean(strings.TrimPrefix(p, "/"))
 		fi, err := fs.Stat(fileSystem, name)
 		if err != nil {
 			return ErrNotFound