From cbdc2c51c483dfb2a81871eaa405a9c30879cd3c Mon Sep 17 00:00:00 2001
From: Qstick <qstick@gmail.com>
Date: Wed, 23 Mar 2022 19:21:12 -0500
Subject: [PATCH] Improve path validation for Custom Script notifications

---
 .../CustomScript/CustomScript.cs              | 33 ++++++++++++-------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/src/NzbDrone.Core/Notifications/CustomScript/CustomScript.cs b/src/NzbDrone.Core/Notifications/CustomScript/CustomScript.cs
index a69b4ae03..94efe294f 100644
--- a/src/NzbDrone.Core/Notifications/CustomScript/CustomScript.cs
+++ b/src/NzbDrone.Core/Notifications/CustomScript/CustomScript.cs
@@ -222,22 +222,33 @@ namespace NzbDrone.Core.Notifications.CustomScript
                 failures.Add(new NzbDroneValidationFailure("Path", "File does not exist"));
             }
 
-            try
+            foreach (var systemFolder in SystemFolders.GetSystemFolders())
             {
-                var environmentVariables = new StringDictionary();
-                environmentVariables.Add("Readarr_EventType", "Test");
-
-                var processOutput = ExecuteScript(environmentVariables);
-
-                if (processOutput.ExitCode != 0)
+                if (systemFolder.IsParentPath(Settings.Path))
                 {
-                    failures.Add(new NzbDroneValidationFailure(string.Empty, $"Script exited with code: {processOutput.ExitCode}"));
+                    failures.Add(new NzbDroneValidationFailure("Path", $"Must not be a descendant of '{systemFolder}'"));
                 }
             }
-            catch (Exception ex)
+
+            if (failures.Empty())
             {
-                _logger.Error(ex);
-                failures.Add(new NzbDroneValidationFailure(string.Empty, ex.Message));
+                try
+                {
+                    var environmentVariables = new StringDictionary();
+                    environmentVariables.Add("Readarr_EventType", "Test");
+
+                    var processOutput = ExecuteScript(environmentVariables);
+
+                    if (processOutput.ExitCode != 0)
+                    {
+                        failures.Add(new NzbDroneValidationFailure(string.Empty, $"Script exited with code: {processOutput.ExitCode}"));
+                    }
+                }
+                catch (Exception ex)
+                {
+                    _logger.Error(ex);
+                    failures.Add(new NzbDroneValidationFailure(string.Empty, ex.Message));
+                }
             }
 
             return new ValidationResult(failures);