From eebda2427ef9feeded5daef6fe75075fee8adee4 Mon Sep 17 00:00:00 2001
From: Jakob Ackermann <jakob.ackermann@overleaf.com>
Date: Tue, 13 May 2025 13:55:31 +0100
Subject: [PATCH] [clsi-cache] fix path traversal (#25585)

* [clsi-cache] fix path traversal

* [clsi-cache] double down on path traversal validation

Co-authored-by: Brian Gough <brian.gough@overleaf.com>

---------

Co-authored-by: Brian Gough <brian.gough@overleaf.com>
GitOrigin-RevId: 28a6a2024aae81e9b361db7918dc0c5381cd8246
---
 services/web/app/src/Features/Compile/ClsiCacheHandler.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/services/web/app/src/Features/Compile/ClsiCacheHandler.js b/services/web/app/src/Features/Compile/ClsiCacheHandler.js
index c04afd483b..bb0414bf03 100644
--- a/services/web/app/src/Features/Compile/ClsiCacheHandler.js
+++ b/services/web/app/src/Features/Compile/ClsiCacheHandler.js
@@ -9,7 +9,15 @@ const Settings = require('@overleaf/settings')
 const OError = require('@overleaf/o-error')
 const { NotFoundError, InvalidNameError } = require('../Errors/Errors')
 
+/**
+ * Keep in sync with validateFilename in services/clsi-cache/app/js/utils.js
+ *
+ * @param {string} filename
+ */
 function validateFilename(filename) {
+  if (filename.split('/').includes('..')) {
+    throw new InvalidNameError('path traversal')
+  }
   if (
     !(
       [