From 0ccbe1c5f8c6e0d48aecee0bb5dccfc2cce7e76d Mon Sep 17 00:00:00 2001
From: Qstick <qstick@gmail.com>
Date: Wed, 23 Mar 2022 19:18:14 -0500
Subject: [PATCH] Improve path validation for Custom Script notifications

---
 .../CustomScript/CustomScript.cs              | 34 +++++++++++++------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/src/NzbDrone.Core/Notifications/CustomScript/CustomScript.cs b/src/NzbDrone.Core/Notifications/CustomScript/CustomScript.cs
index 21c978108..e302a8386 100644
--- a/src/NzbDrone.Core/Notifications/CustomScript/CustomScript.cs
+++ b/src/NzbDrone.Core/Notifications/CustomScript/CustomScript.cs
@@ -5,6 +5,7 @@ using System.Linq;
 using FluentValidation.Results;
 using NLog;
 using NzbDrone.Common.Disk;
+using NzbDrone.Common.Extensions;
 using NzbDrone.Common.Processes;
 using NzbDrone.Common.Serializer;
 using NzbDrone.Core.Music;
@@ -176,22 +177,33 @@ namespace NzbDrone.Core.Notifications.CustomScript
                 failures.Add(new NzbDroneValidationFailure("Path", "File does not exist"));
             }
 
-            try
+            foreach (var systemFolder in SystemFolders.GetSystemFolders())
             {
-                var environmentVariables = new StringDictionary();
-                environmentVariables.Add("Lidarr_EventType", "Test");
-
-                var processOutput = ExecuteScript(environmentVariables);
-
-                if (processOutput.ExitCode != 0)
+                if (systemFolder.IsParentPath(Settings.Path))
                 {
-                    failures.Add(new NzbDroneValidationFailure(string.Empty, $"Script exited with code: {processOutput.ExitCode}"));
+                    failures.Add(new NzbDroneValidationFailure("Path", $"Must not be a descendant of '{systemFolder}'"));
                 }
             }
-            catch (Exception ex)
+
+            if (failures.Empty())
             {
-                _logger.Error(ex);
-                failures.Add(new NzbDroneValidationFailure(string.Empty, ex.Message));
+                try
+                {
+                    var environmentVariables = new StringDictionary();
+                    environmentVariables.Add("Lidarr_EventType", "Test");
+
+                    var processOutput = ExecuteScript(environmentVariables);
+
+                    if (processOutput.ExitCode != 0)
+                    {
+                        failures.Add(new NzbDroneValidationFailure(string.Empty, $"Script exited with code: {processOutput.ExitCode}"));
+                    }
+                }
+                catch (Exception ex)
+                {
+                    _logger.Error(ex);
+                    failures.Add(new NzbDroneValidationFailure(string.Empty, ex.Message));
+                }
             }
 
             return new ValidationResult(failures);