From 837b2562d4d208a0c56ea898091432a57b53b573 Mon Sep 17 00:00:00 2001
From: PetiteMais <petitemais@protonmail.com>
Date: Tue, 23 May 2023 09:54:02 +0200
Subject: [PATCH] fix path traversal when creating events

---
 src/calendars/FullNoteCalendar.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/calendars/FullNoteCalendar.ts b/src/calendars/FullNoteCalendar.ts
index c41e014..85412e4 100644
--- a/src/calendars/FullNoteCalendar.ts
+++ b/src/calendars/FullNoteCalendar.ts
@@ -4,6 +4,7 @@ import { EventPathLocation } from "../core/EventStore";
 import { ObsidianInterface } from "../ObsidianAdapter";
 import { OFCEvent, EventLocation, validateEvent } from "../types";
 import { EditableCalendar, EditableEventResponse } from "./EditableCalendar";
+import { join } from "path";
 
 const basenameFromEvent = (event: OFCEvent): string => {
     switch (event.type) {
@@ -216,7 +217,14 @@ export default class FullNoteCalendar extends EditableCalendar {
     }
 
     async createEvent(event: OFCEvent): Promise<EventLocation> {
-        const path = `${this.directory}/${filenameForEvent(event)}`;
+        const event_filename = filenameForEvent(event);
+        const path = join(this.directory, event_filename);
+
+        if (!path.startsWith(this.directory)) {
+            throw new Error(
+                `Event at ${path} will not be in calendar directory.`
+            );
+        }
         if (this.app.getAbstractFileByPath(path)) {
             throw new Error(`Event at ${path} already exists.`);
         }