fix: relative path judgment (close #3130)

pkg/utils/path.go

@@ -75,7 +75,17 @@ func EncodePath(path string, all ...bool) string {
 }
 
 func JoinBasePath(basePath, reqPath string) (string, error) {
-	if strings.HasSuffix(reqPath, "..") || strings.Contains(reqPath, "../") {
+	/** relative path:
+	 * 1. ..
+	 * 2. ../
+	 * 3. /..
+	 * 4. /../
+	 * 5. /a/b/..
+	 */
+	if reqPath == ".." ||
+		strings.HasSuffix(reqPath, "/..") ||
+		strings.HasPrefix(reqPath, "../") ||
+		strings.Contains(reqPath, "/../") {
 		return "", errs.RelativePath
 	}
 	return stdpath.Join(FixAndCleanPath(basePath), FixAndCleanPath(reqPath)), nil