From c96e6703d38678de294bdbb3be55f0be0dabdb04 Mon Sep 17 00:00:00 2001 From: shamoon <4887959+shamoon@users.noreply.github.com> Date: Mon, 3 Jun 2024 07:03:30 -0700 Subject: [PATCH] More path traversal fixes --- src/pages/api/services/proxy.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/api/services/proxy.js b/src/pages/api/services/proxy.js index 9347c4eb2..4fdccd038 100644 --- a/src/pages/api/services/proxy.js +++ b/src/pages/api/services/proxy.js @@ -47,7 +47,7 @@ export default async function handler(req, res) { if (!mapping.segments.includes(key)) { logger.debug("Unsupported segment: %s", key); return res.status(403).json({ error: "Unsupported segment" }); - } else if (segments[key].includes("/")) { + } else if (segments[key].includes("/") || segments[key].includes("\\") || segments[key].includes("..")) { logger.debug("Unsupported segment value: %s", segments[key]); return res.status(403).json({ error: "Unsupported segment value" }); }