1 files changed, 21 insertions, 3 deletions

diff --git a/cmd/mimi/modules/discord/heic2jpeg/heic2jpeg.go b/cmd/mimi/modules/discord/heic2jpeg/heic2jpeg.go
index 7ae6011..b49f151 100644
--- a/cmd/mimi/modules/discord/heic2jpeg/heic2jpeg.go
+++ b/cmd/mimi/modules/discord/heic2jpeg/heic2jpeg.go
@@ -80,11 +80,29 @@ func (m *Module) heic2jpeg(s *discordgo.Session, mc *discordgo.MessageCreate) {
 		}
 		defer resp.Body.Close()
 
-		fname := filepath.Join(dir, filepath.Base(req.URL.Path))
-		fnameStem := strings.TrimSuffix(fname, filepath.Ext(fname))
+		baseName := filepath.Base(req.URL.Path)
+		if strings.Contains(baseName, "/") || strings.Contains(baseName, "\\") || strings.Contains(baseName, "..") {
+			s.ChannelMessageSend(mc.ChannelID, "invalid file name")
+			slog.Error("invalid file name", "file name", baseName)
+			return
+		}
+		fname := filepath.Join(dir, baseName)
+		absPath, err := filepath.Abs(fname)
+		if err != nil {
+			s.ChannelMessageSend(mc.ChannelID, "invalid file path")
+			slog.Error("invalid file path", "path", absPath)
+			return
+		}
+		relPath, err := filepath.Rel(dir, absPath)
+		if err != nil || strings.HasPrefix(relPath, "..") {
+			s.ChannelMessageSend(mc.ChannelID, "invalid file path")
+			slog.Error("invalid file path", "path", absPath)
+			return
+		}
+		fnameStem := strings.TrimSuffix(absPath, filepath.Ext(absPath))
 		fnameJPEG := fnameStem + ".jpeg"
 
-		fout, err := os.Create(fname)
+		fout, err := os.Create(absPath)
 		if err != nil {
 			s.ChannelMessageSend(mc.ChannelID, "failed to save image")
 			slog.Error("failed to save image", "err", err)