merge: Security fixes (!970)

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/970
author: Julia <julia@insertdomain.name> 2025-04-27 20:06:59 +0000
committer: Julia <julia@insertdomain.name> 2025-04-27 20:06:59 +0000
commit: ae0ca28ae443128c8a4488d0c95d7af4a65ba1ea (patch)
tree: b4ec179f9e75210b71b66bfea0780a2ef2e20136 /packages/frontend/src/scripts/aiscript/api.ts
parent: merge: 2025.2.2 (!927) (diff)
parent: Fix linter issue (diff)
download: sharkey-ae0ca28ae443128c8a4488d0c95d7af4a65ba1ea.tar.gz
sharkey-ae0ca28ae443128c8a4488d0c95d7af4a65ba1ea.tar.bz2
sharkey-ae0ca28ae443128c8a4488d0c95d7af4a65ba1ea.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/packages/frontend/src/scripts/aiscript/api.ts b/packages/frontend/src/scripts/aiscript/api.ts
index e203c51bba..f77cc9c546 100644
--- a/packages/frontend/src/scripts/aiscript/api.ts
+++ b/packages/frontend/src/scripts/aiscript/api.ts
@@ -68,7 +68,7 @@ export function createAiScriptEnv(opts: { storageKey: string, token?: string })
 		}),
 		'Mk:api': values.FN_NATIVE(async ([ep, param, token]) => {
 			utils.assertString(ep);
-			if (ep.value.includes('://')) {
+			if (ep.value.includes('://') || ep.value.includes('..')) {
 				throw new errors.AiScriptRuntimeError('invalid endpoint');
 			}
 			if (token) {
author	Julia <julia@insertdomain.name>	2025-04-27 20:06:59 +0000
committer	Julia <julia@insertdomain.name>	2025-04-27 20:06:59 +0000
commit	ae0ca28ae443128c8a4488d0c95d7af4a65ba1ea (patch)
tree	b4ec179f9e75210b71b66bfea0780a2ef2e20136 /packages/frontend/src/scripts/aiscript/api.ts
parent	merge: 2025.2.2 (!927) (diff)
parent	Fix linter issue (diff)
download	sharkey-ae0ca28ae443128c8a4488d0c95d7af4a65ba1ea.tar.gz sharkey-ae0ca28ae443128c8a4488d0c95d7af4a65ba1ea.tar.bz2 sharkey-ae0ca28ae443128c8a4488d0c95d7af4a65ba1ea.zip