From 6f14b653a570ae58c1c6c8a807caa685bddb0774 Mon Sep 17 00:00:00 2001
From: stevereis <stevereis93@gmail.com>
Date: Thu, 10 Mar 2022 09:39:18 +0100
Subject: [PATCH] fix: Prevent local file inclusion exploit

---
 api/src/engine/assets.service.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/api/src/engine/assets.service.ts b/api/src/engine/assets.service.ts
index b01c5c3..4abde93 100644
--- a/api/src/engine/assets.service.ts
+++ b/api/src/engine/assets.service.ts
@@ -34,6 +34,8 @@ export class AssetsService {
       );
     }
 
+    if (!filePath.includes('assets/engines')) return undefined;
+
     return fs.existsSync(filePath) ? filePath : undefined;
   }
 
-- 
GitLab