fix: guard against attempts to enumerate directories outside the script root

server/server.js

@@ -1713,7 +1713,12 @@ let needSetup = false;
         socket.on("getScripts", async (subdir, callback) => {
             try {
                 subdir ??= "";
-                const dir = path.join(config.scriptDir, subdir);
+                const dir = path.posix.resolve(config.scriptDir, subdir);
+                if (path.posix.relative(config.scriptDir, dir).startsWith("../")) {
+                    throw new Error(
+                        "Enumeration location " + dir + " is outside of scripts directory " + config.scriptDir
+                    );
+                }
                 let entries = (await fs.readdir(dir, { withFileTypes: true })).map((dirent) => ({
                     name: dirent.name,
                     isDirectory: dirent.isDirectory(),