The filePathSuffix value provided via SelectFilePathSuffixDialog is sent directly as override_file_path_suffix to /api/v1/tv/torrents, and on the backend this suffix is concatenated into episode filenames/paths without sanitization. An attacker with access to this dialog can supply values containing ../ or path separators so that, when imports run, files are written outside the intended show/season directory (path traversal / arbitrary file overwrite). Harden this by validating and normalizing override_file_path_suffix server-side (e.g. restrict to a safe character set and reject .. and path separators) and by treating it strictly as a filename suffix, not a partial path.
Originally posted by @Copilot in #331 (comment)
The
filePathSuffixvalue provided viaSelectFilePathSuffixDialogis sent directly asoverride_file_path_suffixto/api/v1/tv/torrents, and on the backend this suffix is concatenated into episode filenames/paths without sanitization. An attacker with access to this dialog can supply values containing../or path separators so that, when imports run, files are written outside the intended show/season directory (path traversal / arbitrary file overwrite). Harden this by validating and normalizingoverride_file_path_suffixserver-side (e.g. restrict to a safe character set and reject..and path separators) and by treating it strictly as a filename suffix, not a partial path.Originally posted by @Copilot in #331 (comment)