From 1c346d63148dccc6629effa4034bf33869320f62 Mon Sep 17 00:00:00 2001
From: retoor <retoor@molodetz.nl>
Date: Mon, 8 Dec 2025 00:12:52 +0100
Subject: [PATCH] Removed traversal.

---
 proxy.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/proxy.py b/proxy.py
index 645da3a..306a21a 100644
--- a/proxy.py
+++ b/proxy.py
@@ -26,9 +26,9 @@ def add_cors_headers(response):
     return response
 
 def is_path_safe(path):
-    normalized = posixpath.normpath(path)
-    if '..' in normalized:
+    if '..' in path:
         return False
+    normalized = posixpath.normpath(path)
     full_path = os.path.abspath(os.path.join(ROOT_DIR, normalized.lstrip('/')))
     return full_path.startswith(ROOT_DIR)
 
@@ -40,7 +40,7 @@ async def proxy_request(request, method, max_retries=10, retry_delay=2):
     api_parsed_url = urlparse(api_path)
     normalized_api_path = posixpath.normpath(api_parsed_url.path).lstrip('/')
 
-    if '..' in normalized_api_path:
+    if '..' in api_parsed_url.path:
         response = web.json_response({'success': False, 'error': 'Invalid path'}, status=400)
         return add_cors_headers(response)