additional check for valid rootResource

services/clsi/app/coffee/RequestParser.coffee

@@ -44,7 +44,7 @@ module.exports = RequestParser =
 				type: "string"
 			originalRootResourcePath = rootResourcePath
 			sanitizedRootResourcePath = RequestParser._sanitizePath(rootResourcePath)
-			response.rootResourcePath = sanitizedRootResourcePath
+			response.rootResourcePath = RequestParser._checkPath(sanitizedRootResourcePath)
 			
 			for resource in response.resources
 				if resource.path == originalRootResourcePath
@@ -92,3 +92,10 @@ module.exports = RequestParser =
 	_sanitizePath: (path) ->
 		# See http://php.net/manual/en/function.escapeshellcmd.php
 		path.replace(/[\#\&\;\`\|\*\?\~\<\>\^\(\)\[\]\{\}\$\\\x0A\xFF\x00]/g, "")
+
+	_checkPath: (path) ->
+		# check that the request does not use a relative path
+		for dir in path.split('/')
+			if dir == '..'
+				throw "relative path in root resource"
+		return path

services/clsi/test/unit/coffee/RequestParserTests.coffee

@@ -223,4 +223,22 @@ describe "RequestParser", ->
 		it "should also escape the resource path", ->
 			@data.resources[0].path.should.equal @goodPath
 		
+	describe "with a root resource path that has a relative path", ->
+		beforeEach ->
+			@validRequest.compile.rootResourcePath = "foo/../../bar.tex"
+			@RequestParser.parse @validRequest, @callback
+			@data = @callback.args[0][1]
 
+		it "should return an error", ->
+			@callback.calledWith("relative path in root resource")
+				.should.equal true
+
+	describe "with a root resource path that has unescaped + relative path", ->
+		beforeEach ->
+			@validRequest.compile.rootResourcePath = "foo/#../bar.tex"
+			@RequestParser.parse @validRequest, @callback
+			@data = @callback.args[0][1]
+
+		it "should return an error", ->
+			@callback.calledWith("relative path in root resource")
+				.should.equal true