From d9d487f1bafa0c0e92b3225121d9d75d9bd0a8d2 Mon Sep 17 00:00:00 2001
From: shanecodezzz <sbarakat2005@gmail.com>
Date: Sat, 14 Feb 2026 09:20:39 -0800
Subject: [PATCH] fix(freqtrade/plugins/pairlist/RemotePairList.py): address
 code quality issues

- [high/security] file:// URL handler allows reading arbitrary local files with no path validation or restriction.
---
 freqtrade/plugins/pairlist/RemotePairList.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/freqtrade/plugins/pairlist/RemotePairList.py b/freqtrade/plugins/pairlist/RemotePairList.py
index 7967c2d1c..bad776cce 100644
--- a/freqtrade/plugins/pairlist/RemotePairList.py
+++ b/freqtrade/plugins/pairlist/RemotePairList.py
@@ -236,7 +236,15 @@ class RemotePairList(IPairList):
         else:
             if self._pairlist_url.startswith("file:///"):
                 filename = self._pairlist_url.split("file:///", 1)[1]
-                file_path = Path(filename)
+                file_path = Path(filename).resolve()
+
+                user_data_dir = self._config["user_data_dir"].resolve()
+                if not file_path.is_relative_to(user_data_dir):
+                    raise OperationalException(
+                        f"File path '{file_path}' is outside the allowed directory "
+                        f"'{user_data_dir}'. For security reasons, file:// URLs must "
+                        f"reference files within the user data directory."
+                    )
 
                 if file_path.exists():
                     with file_path.open() as json_file: