From ea29f580a5e7cc854d1d5fe8b60554360b1a7625 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Tue, 9 Nov 2021 15:37:58 -0500
Subject: [PATCH] clean api url paths from directory traversal (#539)

---
 common/src/services/api.service.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/common/src/services/api.service.ts b/common/src/services/api.service.ts
index b7fff0ce8e..df33c1792f 100644
--- a/common/src/services/api.service.ts
+++ b/common/src/services/api.service.ts
@@ -1616,6 +1616,9 @@ export class ApiService implements ApiServiceAbstraction {
             headers.set('User-Agent', this.customUserAgent);
         }
 
+        // Clean path from directory traversal
+        path = path.split('../').join('');
+
         const requestInit: RequestInit = {
             cache: 'no-store',
             credentials: this.getCredentials(),