From f789dcc80ee6c0227db42c047da301e1e65e8983 Mon Sep 17 00:00:00 2001
From: DJ1TJOO <t.ferb1@gmail.com>
Date: Tue, 2 Mar 2021 14:06:50 +0100
Subject: [PATCH] Limited performFsJob to parent folder

---
 electron/index.js | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/electron/index.js b/electron/index.js
index a052baca..fecc9d11 100644
--- a/electron/index.js
+++ b/electron/index.js
@@ -155,8 +155,19 @@ ipcMain.on("exit-app", (event, flag) => {
 });
 
 function performFsJob(job) {
-    let fname = path.join(storePath, job.filename);
-    if (job.mods) fname = path.join(modsPath, job.filename);
+    let parent = storePath;
+
+    if (job.mods)
+        let parent = modsPath;
+
+    const fname = path.join(parent, job.filename);
+    const relative = path.relative(parent, fname);
+
+    //If not a child of parent
+    if(!relative && !relative.startsWith('..') && !path.isAbsolute(relative))
+        return {
+            error: "Cannot get above parent folder"
+        }
 
     switch (job.type) {
         case "readDir":