From a04c4bc8936c372fa3b482b78cee4fbd7f269747 Mon Sep 17 00:00:00 2001
From: Ambrose Chua <ambrose@hey.com>
Date: Tue, 16 Nov 2021 22:09:29 +0800
Subject: [PATCH] fix: Force all paths to be within `cwd()`

---
 index.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index 0a097c0..21c1453 100755
--- a/index.js
+++ b/index.js
@@ -154,7 +154,11 @@ app.use((req, res, next) => {
 });
 
 function relative(...paths) {
-  return paths.reduce((a, b) => path.join(a, b), process.cwd());
+  const finalPath = paths.reduce((a, b) => path.join(a, b), process.cwd());
+  if (path.relative(process.cwd(), finalPath).startsWith("..")) {
+	throw new Error("Failed to resolve path outside of the working directory")
+  }
+  return finalPath;
 }
 function flashify(req, obj) {
   let error = req.flash("error");