api: block more of the local file paths

iparamonau · iparamonau · commit 3287b6f2ff57 · 2024-12-09T10:55:55.000-05:00
diff --git a/modules/api/views.js b/modules/api/views.js
@@ -107,7 +107,7 @@ function processInitialErrors(uri, next) {
         return true;
     }
 
-    if (/^(https?:\/\/)?\./i.test(uri)) {
+    if (/^(https?:\/\/)?(\.|\/|~)/i.test(uri)) {
         next(new utils.HttpError(400, "file paths are not accepted"));
         return true;
     }

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@ function processInitialErrors(uri, next) {`
`107`	`107`	`return true;`
`108`	`108`	`}`
`109`	`109`
`110`		`- if (/^(https?:\/\/)?\./i.test(uri)) {`
	`110`	`+ if (/^(https?:\/\/)?(\.\|\/\|~)/i.test(uri)) {`
`111`	`111`	`next(new utils.HttpError(400, "file paths are not accepted"));`
`112`	`112`	`return true;`
`113`	`113`	`}`