From 242d5763d451eed2402be7afde50cd9fa0d6bc79 Mon Sep 17 00:00:00 2001
From: metamuffin <metamuffin@disroot.org>
Date: Tue, 9 Dec 2025 16:23:21 +0100
Subject: fix cache name escape bugs

---
 cache/src/backends/filesystem.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'cache/src/backends')

diff --git a/cache/src/backends/filesystem.rs b/cache/src/backends/filesystem.rs
index 9a9db9c..ec242d2 100644
--- a/cache/src/backends/filesystem.rs
+++ b/cache/src/backends/filesystem.rs
@@ -5,7 +5,7 @@
 */
 
 use crate::{Config, backends::CacheStorage};
-use anyhow::Result;
+use anyhow::{Result, bail};
 use rand::random;
 use std::{
     fs::{File, create_dir_all, rename},
@@ -34,6 +34,9 @@ impl CacheStorage for Filesystem {
         Ok(())
     }
     fn read(&self, key: &str) -> Result<Option<Vec<u8>>> {
+        if key.contains("..") || key.starts_with("/") {
+            bail!("invalid key")
+        }
         match File::open(self.0.join(key)) {
             Ok(mut f) => {
                 let mut data = Vec::new();
-- 
cgit v1.3