From 18b11df672b5a887bc17a6b9fdd13f9742c8f98e Mon Sep 17 00:00:00 2001
From: "SPRINX0\\prochazka" <jan.prochazka@sprinx.com>
Date: Thu, 12 Jun 2025 10:43:27 +0200
Subject: [PATCH] security: prevent file traversal in uploads

---
 packages/api/src/controllers/uploads.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/packages/api/src/controllers/uploads.js b/packages/api/src/controllers/uploads.js
index 4e0b9bd2a..82cea2452 100644
--- a/packages/api/src/controllers/uploads.js
+++ b/packages/api/src/controllers/uploads.js
@@ -44,6 +44,10 @@ module.exports = {
     raw: true,
   },
   get(req, res) {
+    if (req.query.file.includes('..') || req.query.file.includes('/') || req.query.file.includes('\\')) {
+      res.status(400).send('Invalid file path');
+      return;
+    }
     res.sendFile(path.join(uploadsdir(), req.query.file));
   },