clean api url paths from directory traversal (#539)

2025-12-14 23:33:31 +00:00 · 2021-11-09 15:37:58 -05:00
parent c4fb4a35ab
commit ea29f580a5
1 changed files with 3 additions and 0 deletions
--- a/common/src/services/api.service.ts
+++ b/common/src/services/api.service.ts
@@ -1616,6 +1616,9 @@ export class ApiService implements ApiServiceAbstraction {
            headers.set('User-Agent', this.customUserAgent);
        }

+        // Clean path from directory traversal
+        path = path.split('../').join('');
+
        const requestInit: RequestInit = {
            cache: 'no-store',
            credentials: this.getCredentials(),