From 814fa5935061375ae651ccd15e33fb3ee67c5dd2 Mon Sep 17 00:00:00 2001
From: Dilum Aluthge <dilum@aluthge.com>
Date: Fri, 20 Jun 2025 21:21:14 -0400
Subject: [PATCH] Disallow additional path traversal patterns

---
 src/forge.jl | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/forge.jl b/src/forge.jl
index 7222e4d..a8ed5f2 100644
--- a/src/forge.jl
+++ b/src/forge.jl
@@ -187,10 +187,19 @@ struct Endpoint
         query::Dict=Dict(),
         allow_404::Bool=false,
     )
-        # do not allow path navigation in URLs
+        # Do not allow path navigation in URLs
+        # Disallowed pattern: ..
         if occursin(r"\.\.", url)
             throw(ArgumentError("URLs cannot contain path navigation"))
         end
+
+        # Additional disallowed patterns:
+        # ../, ..\, /.., \.., ./, .\, /./, \.\
+        PATH_TRAVERSAL = r"(?:\.{2,}[\/\\]|\.{1,}[\/\\]|[\/\\]\.{2,}|[\/\\]\.{1,}[\/\\])"
+        if occursin(PATH_TRAVERSAL, url)
+            throw(ArgumentError("URLs cannot contain path navigation"))
+        end
+
         # do not allow new lines or carriage returns in URLs
         if occursin(r"\s", url)
             throw(ArgumentError("URLs cannot contain line breaks"))