From fe90cc7b24cdb5749403036556707a9c60b1c2db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=81=82=E3=82=8F=E3=82=8F=E3=82=8F=E3=81=A8=E3=83=BC?=
 =?UTF-8?q?=E3=81=AB=E3=82=85?=
 <17376330+u1-liquid@users.noreply.github.com>
Date: Thu, 1 May 2025 21:24:38 +0900
Subject: [PATCH] Merge commit from fork

(cherry picked from commit 583df3ec63e25a1fd34def0dac13405396b8b663)

none of our endpoints will ever contain `..` (they might, maybe, at
some point, contain `.`, as in `something/get.html`?), so every
`Mk:api()` call to an endpoint that contains `..` can't work: let's
reject it outright

Co-authored-by: Julia <julia@insertdomain.name>
Co-authored-by: dakkar <dakkar@thenautilus.net>
---
 packages/frontend/src/scripts/aiscript/api.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/frontend/src/scripts/aiscript/api.ts b/packages/frontend/src/scripts/aiscript/api.ts
index 15d1cfc03..525b0540b 100644
--- a/packages/frontend/src/scripts/aiscript/api.ts
+++ b/packages/frontend/src/scripts/aiscript/api.ts
@@ -51,7 +51,9 @@ export function createAiScriptEnv(opts) {
 		}),
 		'Mk:api': values.FN_NATIVE(async ([ep, param, token]) => {
 			utils.assertString(ep);
-			if (ep.value.includes('://')) throw new Error('invalid endpoint');
+			if (ep.value.includes('://') || ep.value.includes('..')) {
+				throw new Error('invalid endpoint');
+			}
 			if (token) {
 				utils.assertString(token);
 				// バグがあればundefinedもあり得るため念のため