From b31a12a0cc3a821a24354ca9260eb19a3b4a0656 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BE=AE=E5=87=89?= <i@nn.ci>
Date: Thu, 27 Jan 2022 14:54:20 +0800
Subject: [PATCH] :lock: not allowed access using relative path for native

---
 drivers/native/driver.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/native/driver.go b/drivers/native/driver.go
index 0529226e..601e30f9 100644
--- a/drivers/native/driver.go
+++ b/drivers/native/driver.go
@@ -1,6 +1,7 @@
 package native
 
 import (
+	"errors"
 	"fmt"
 	"github.com/Xhofe/alist/conf"
 	"github.com/Xhofe/alist/drivers/base"
@@ -58,6 +59,9 @@ func (driver Native) Save(account *model.Account, old *model.Account) error {
 }
 
 func (driver Native) File(path string, account *model.Account) (*model.File, error) {
+	if utils.IsContain(strings.Split(path, "/"), "..") {
+		return nil, errors.New("access using relative path is not allowed")
+	}
 	fullPath := filepath.Join(account.RootFolder, path)
 	if !utils.Exists(fullPath) {
 		return nil, base.ErrPathNotFound