From 3287b6f2ff57d9d69c61861a5d1cdbf5304de21d Mon Sep 17 00:00:00 2001
From: Ivan Paramonau <i.paramonau@gmail.com>
Date: Mon, 9 Dec 2024 10:55:55 -0500
Subject: [PATCH] api: block more of the local file paths

---
 modules/api/views.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/api/views.js b/modules/api/views.js
index 4669aab12..f0c71d8b8 100644
--- a/modules/api/views.js
+++ b/modules/api/views.js
@@ -107,7 +107,7 @@ function processInitialErrors(uri, next) {
         return true;
     }
 
-    if (/^(https?:\/\/)?\./i.test(uri)) {
+    if (/^(https?:\/\/)?(\.|\/|~)/i.test(uri)) {
         next(new utils.HttpError(400, "file paths are not accepted"));
         return true;
     }