From af2bc7d8222ca0dde688a25dcfa429aae4ed29a2 Mon Sep 17 00:00:00 2001
From: Max Asnaashari <max.asnaashari@canonical.com>
Date: Wed, 4 Sep 2024 19:14:46 +0000
Subject: [PATCH] api: Explicit checks

Signed-off-by: Max Asnaashari <max.asnaashari@canonical.com>
---
 api/services_tokens.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/api/services_tokens.go b/api/services_tokens.go
index 0cbe619a..32c8abd1 100644
--- a/api/services_tokens.go
+++ b/api/services_tokens.go
@@ -70,6 +70,15 @@ func serviceTokensPost(s *state.State, r *http.Request) response.Response {
 		return response.SmartError(err)
 	}
 
+	if strings.Contains(req.JoinerName, "/") || strings.Contains(req.JoinerName, "\\") || strings.Contains(req.JoinerName, "..") {
+		return response.SmartError(err)
+	}
+
+	_, err = filepath.Abs(req.JoinerName)
+	if err != nil {
+		return response.SmartError(err)
+	}
+
 	_ = os.MkdirAll(req.JoinerName, 0700)
 
 	sh, err := service.NewHandler(s.Name(), req.ClusterAddress, s.OS.StateDir, false, false, types.ServiceType(serviceType))