From b42ec3e810876c9dfa3996985a257ba9061940b6 Mon Sep 17 00:00:00 2001
From: Noah Hsu <i@nn.ci>
Date: Mon, 23 Jan 2023 15:50:49 +0800
Subject: [PATCH] fix: relative path judgment (close #3130)

---
 pkg/utils/path.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/pkg/utils/path.go b/pkg/utils/path.go
index 1e3a8c4a..f328bd1c 100644
--- a/pkg/utils/path.go
+++ b/pkg/utils/path.go
@@ -75,7 +75,17 @@ func EncodePath(path string, all ...bool) string {
 }
 
 func JoinBasePath(basePath, reqPath string) (string, error) {
-	if strings.HasSuffix(reqPath, "..") || strings.Contains(reqPath, "../") {
+	/** relative path:
+	 * 1. ..
+	 * 2. ../
+	 * 3. /..
+	 * 4. /../
+	 * 5. /a/b/..
+	 */
+	if reqPath == ".." ||
+		strings.HasSuffix(reqPath, "/..") ||
+		strings.HasPrefix(reqPath, "../") ||
+		strings.Contains(reqPath, "/../") {
 		return "", errs.RelativePath
 	}
 	return stdpath.Join(FixAndCleanPath(basePath), FixAndCleanPath(reqPath)), nil