From 12e385d22e3ddadc67c07f58907c0bf37eac6364 Mon Sep 17 00:00:00 2001
From: vcwai <victorcwai@gmail.com>
Date: Wed, 12 Oct 2022 13:29:56 +0800
Subject: [PATCH] Fix unsafe path construction in DataFileStore.js

---
 lib/storage/data/file/DataFileStore.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/storage/data/file/DataFileStore.js b/lib/storage/data/file/DataFileStore.js
index a17192ae3..b5fe399af 100644
--- a/lib/storage/data/file/DataFileStore.js
+++ b/lib/storage/data/file/DataFileStore.js
@@ -121,6 +121,9 @@ class DataFileStore {
      *   object contents
      */
     getFilePath(key) {
+        if (key.includes(path.sep) || key === '..' || key === '.') {
+            return '';
+        }
         if (this.isPassthrough) {
             const dirname = path.resolve(this.dataPath);
             const filePath = path.resolve(dirname, key);