Merge commit from fork

none of our endpoints will ever contain `..` (they might, maybe, at some point, contain `.`, as in `something/get.html`?), so every `Mk:api()` call to an endpoint that contains `..` can't work: let's reject it outright Co-authored-by: dakkar <dakkar@thenautilus.net>
author: Julia <julia@insertdomain.name> 2025-04-29 05:06:39 -0400
committer: GitHub <noreply@github.com> 2025-04-29 18:06:39 +0900
commit: 583df3ec63e25a1fd34def0dac13405396b8b663 (patch)
tree: 96d044e6b216960caa4e77d1cf9e768ecb016589 /packages/frontend/src/aiscript
parent: Bump version to 2025.4.1-beta.9 (diff)
download: sharkey-583df3ec63e25a1fd34def0dac13405396b8b663.tar.gz
sharkey-583df3ec63e25a1fd34def0dac13405396b8b663.tar.bz2
sharkey-583df3ec63e25a1fd34def0dac13405396b8b663.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/packages/frontend/src/aiscript/api.ts b/packages/frontend/src/aiscript/api.ts
index e7e396023d..08ba89dd9d 100644
--- a/packages/frontend/src/aiscript/api.ts
+++ b/packages/frontend/src/aiscript/api.ts
@@ -68,7 +68,7 @@ export function createAiScriptEnv(opts: { storageKey: string, token?: string })
 		}),
 		'Mk:api': values.FN_NATIVE(async ([ep, param, token]) => {
 			utils.assertString(ep);
-			if (ep.value.includes('://')) {
+			if (ep.value.includes('://') || ep.value.includes('..')) {
 				throw new errors.AiScriptRuntimeError('invalid endpoint');
 			}
 			if (token) {
author	Julia <julia@insertdomain.name>	2025-04-29 05:06:39 -0400
committer	GitHub <noreply@github.com>	2025-04-29 18:06:39 +0900
commit	583df3ec63e25a1fd34def0dac13405396b8b663 (patch)
tree	96d044e6b216960caa4e77d1cf9e768ecb016589 /packages/frontend/src/aiscript
parent	Bump version to 2025.4.1-beta.9 (diff)
download	sharkey-583df3ec63e25a1fd34def0dac13405396b8b663.tar.gz sharkey-583df3ec63e25a1fd34def0dac13405396b8b663.tar.bz2 sharkey-583df3ec63e25a1fd34def0dac13405396b8b663.zip