Closed
Description
If options.namespace is set to '..' or '/'. attacker can write into outside options.dir directories.
Ex1:
https://github.com/y-js/y-websockets-server/blob/v9.2.1/src/server.js#L44-L45
If user input room as '..', they can write into directories outside 'y-leveldb-databases'.
Metadata
Metadata
Assignees
Labels
No labels