From 1b14800c7d7f54be14ed4d130bfe7f480645076e Mon Sep 17 00:00:00 2001
From: Gabe Kangas <gabek@real-ity.com>
Date: Sat, 20 Jan 2024 19:48:52 -0800
Subject: [PATCH] fix(api): protect emoji delete api from path traversal
 exploit

---
 controllers/admin/emoji.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/controllers/admin/emoji.go b/controllers/admin/emoji.go
index 43028e6b7..810b629d1 100644
--- a/controllers/admin/emoji.go
+++ b/controllers/admin/emoji.go
@@ -76,9 +76,13 @@ func DeleteCustomEmoji(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// var emojiFileName = filepath.Base(emoji.Name)
 	targetPath := filepath.Join(config.CustomEmojiPath, emoji.Name)
 
+	if !filepath.IsLocal(targetPath) {
+		controllers.WriteSimpleResponse(w, false, "Emoji path is not valid")
+		return
+	}
+
 	if err := os.Remove(targetPath); err != nil {
 		if os.IsNotExist(err) {
 			controllers.WriteSimpleResponse(w, false, fmt.Sprintf("Emoji %q doesn't exist", emoji.Name))