From 2d91e19f708d39f2899212d938d5f219bc8140b9 Mon Sep 17 00:00:00 2001
From: BadIdeaException <7235795+BadIdeaException@users.noreply.github.com>
Date: Sun, 5 Apr 2026 17:43:48 +0200
Subject: [PATCH] fix: guard against attempts to enumerate directories outside
 the script root

---
 server/server.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/server/server.js b/server/server.js
index a7a3d57d9..b013548e4 100644
--- a/server/server.js
+++ b/server/server.js
@@ -1713,7 +1713,12 @@ let needSetup = false;
         socket.on("getScripts", async (subdir, callback) => {
             try {
                 subdir ??= "";
-                const dir = path.join(config.scriptDir, subdir);
+                const dir = path.posix.resolve(config.scriptDir, subdir);
+                if (path.posix.relative(config.scriptDir, dir).startsWith("../")) {
+                    throw new Error(
+                        "Enumeration location " + dir + " is outside of scripts directory " + config.scriptDir
+                    );
+                }
                 let entries = (await fs.readdir(dir, { withFileTypes: true })).map((dirent) => ({
                     name: dirent.name,
                     isDirectory: dirent.isDirectory(),