diff --git a/src/pages/api/services/proxy.js b/src/pages/api/services/proxy.js index 9347c4eb2..4fdccd038 100644 --- a/src/pages/api/services/proxy.js +++ b/src/pages/api/services/proxy.js @@ -47,7 +47,7 @@ export default async function handler(req, res) { if (!mapping.segments.includes(key)) { logger.debug("Unsupported segment: %s", key); return res.status(403).json({ error: "Unsupported segment" }); - } else if (segments[key].includes("/")) { + } else if (segments[key].includes("/") || segments[key].includes("\\") || segments[key].includes("..")) { logger.debug("Unsupported segment value: %s", segments[key]); return res.status(403).json({ error: "Unsupported segment value" }); }