From 694110583f3fd54009bf2740bf5b913a3974fd3e Mon Sep 17 00:00:00 2001
From: yggverse <yggverse@project>
Date: Thu, 19 Mar 2026 20:26:54 +0200
Subject: [PATCH] prevent traversal request

---
 src/main.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index 9a17779..4fe299e 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -193,13 +193,18 @@ fn main() -> Result<()> {
                             let path_source = {
                                 let mut p = PathBuf::from(&config.upload);
                                 p.push(upload);
-                                p
+                                p.canonicalize()?
                             };
                             let path_target = {
                                 let mut p = PathBuf::from(&config.target);
                                 p.push(upload);
-                                p
+                                p.canonicalize()?
                             };
+
+                            // prevent traversal request
+                            assert!(path_source.starts_with(&config.upload));
+                            assert!(path_target.starts_with(&config.target));
+
                             let path_parent = path_target.parent().unwrap();
 
                             create_dir_all(path_parent)?;