From 2877a1812df26ee62af49e308db0a7a610b9d770 Mon Sep 17 00:00:00 2001
From: yuuki <>
Date: Thu, 30 May 2024 19:02:08 +0000
Subject: [PATCH] =?UTF-8?q?=E5=85=A8=E6=9B=B2=E5=89=8A=E9=99=A4=E3=81=95?=
 =?UTF-8?q?=E3=82=8C=E3=82=8B=E3=83=90=E3=82=B0=E3=82=92=E4=BF=AE=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app.py b/app.py
index 7743395..c7a9081 100644
--- a/app.py
+++ b/app.py
@@ -835,7 +835,11 @@ def delete():
     id = flask.request.get_json().get('id')
     client["taiko"]["songs"].delete_one({ "id": id })
 
-    target_dir = pathlib.Path(os.getenv("TAIKO_WEB_SONGS_DIR", "public/songs")) / id
+    parent_dir = pathlib.Path(os.getenv("TAIKO_WEB_SONGS_DIR", "public/songs"))
+    target_dir = parent_dir / id
+    if target_dir.resolve().relative_to(parent_dir.resolve()) == pathlib.Path("."):
+        return flask.jsonify({ "success": False, "reason": "PARENT IS NOT ALLOWED" })
+
     shutil.rmtree(target_dir)
 
     return flask.jsonify({'success': True})