From 6a0a789e09c047d37e9c80d9c55685ee183e2ab0 Mon Sep 17 00:00:00 2001 From: Ivan Paramonau Date: Mon, 9 Dec 2024 10:52:48 -0500 Subject: [PATCH] api: block local file paths --- modules/api/views.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/api/views.js b/modules/api/views.js index c17334a6f..4669aab12 100644 --- a/modules/api/views.js +++ b/modules/api/views.js @@ -106,6 +106,11 @@ function processInitialErrors(uri, next) { next(new utils.HttpError(400, "local domains not supported")); return true; } + + if (/^(https?:\/\/)?\./i.test(uri)) { + next(new utils.HttpError(400, "file paths are not accepted")); + return true; + } } export default function(app) {