Security fixes

Co-Authored-By: dakkar <dakkar@thenautilus.net>
author: Julia Johannesen <julia@insertdomain.name> 2025-04-27 13:05:09 -0400
committer: Julia Johannesen <julia@insertdomain.name> 2025-04-27 13:05:09 -0400
commit: 0bb4e57b0c646a20aa46e6cac545b37682629e89 (patch)
tree: cae0d041c41353c1c8a9e8616abc3f609de87194 /packages/frontend/src/scripts/aiscript
parent: merge: 2025.2.2 (!927) (diff)
download: sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.tar.gz
sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.tar.bz2
sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/packages/frontend/src/scripts/aiscript/api.ts b/packages/frontend/src/scripts/aiscript/api.ts
index e203c51bba..f77cc9c546 100644
--- a/packages/frontend/src/scripts/aiscript/api.ts
+++ b/packages/frontend/src/scripts/aiscript/api.ts
@@ -68,7 +68,7 @@ export function createAiScriptEnv(opts: { storageKey: string, token?: string })
 		}),
 		'Mk:api': values.FN_NATIVE(async ([ep, param, token]) => {
 			utils.assertString(ep);
-			if (ep.value.includes('://')) {
+			if (ep.value.includes('://') || ep.value.includes('..')) {
 				throw new errors.AiScriptRuntimeError('invalid endpoint');
 			}
 			if (token) {
author	Julia Johannesen <julia@insertdomain.name>	2025-04-27 13:05:09 -0400
committer	Julia Johannesen <julia@insertdomain.name>	2025-04-27 13:05:09 -0400
commit	0bb4e57b0c646a20aa46e6cac545b37682629e89 (patch)
tree	cae0d041c41353c1c8a9e8616abc3f609de87194 /packages/frontend/src/scripts/aiscript
parent	merge: 2025.2.2 (!927) (diff)
download	sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.tar.gz sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.tar.bz2 sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.zip