More path traversal fixes

gethomepage · Jun 3, 2024 · 52b733b · 52b733b
1 parent 7e50da8
commit 52b733b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/pages/api/services/proxy.js b/src/pages/api/services/proxy.js
@@ -47,7 +47,7 @@ export default async function handler(req, res) {
  if (!mapping.segments.includes(key)) {
  logger.debug("Unsupported segment: %s", key);
  return res.status(403).json({ error: "Unsupported segment" });
- } else if (segments[key].includes("/")) {
+ } else if (segments[key].includes("/") || segments[key].includes("\\") || segments[key].includes("..")) {
  logger.debug("Unsupported segment value: %s", segments[key]);
  return res.status(403).json({ error: "Unsupported segment value" });
  }