From c33110b92e80d6e098320fa409099780e7782dd5 Mon Sep 17 00:00:00 2001
From: Krzysztof Pajak <krzysiek@grandnode.com>
Date: Mon, 9 Dec 2024 20:25:02 +0100
Subject: [PATCH] Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/Web/Grand.Web.Admin/Controllers/SettingController.cs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Web/Grand.Web.Admin/Controllers/SettingController.cs b/src/Web/Grand.Web.Admin/Controllers/SettingController.cs
index a14ac9946..9543d8443 100644
--- a/src/Web/Grand.Web.Admin/Controllers/SettingController.cs
+++ b/src/Web/Grand.Web.Admin/Controllers/SettingController.cs
@@ -780,6 +780,11 @@ private void SavePushNotificationsToFile(PushNotificationsSettingsModel model, I
     private string GetSafeFilePath(IConfiguration configuration, IWebHostEnvironment webHostEnvironment, string filename)
     {
         var directoryParam = configuration[CommonPath.DirectoryParam] ?? "";
+
+        // Validate directoryParam to ensure it does not contain ".." or path separators
+        if (directoryParam.Contains("..") || directoryParam.Contains("/") || directoryParam.Contains("\\"))
+            throw new ArgumentException("Invalid directory parameter - contains illegal characters.");
+
         var safeDirectoryName = Path.GetFileName(directoryParam);
         var combinedPath = Path.Combine(webHostEnvironment.WebRootPath, safeDirectoryName, filename);
         var fullPath = Path.GetFullPath(combinedPath, webHostEnvironment.WebRootPath);