From 1a84e44351d9b38687a76f6d4c4429db520438cd Mon Sep 17 00:00:00 2001
From: Tamas Gal <galtom84@gmail.com>
Date: Fri, 17 Oct 2025 00:10:08 +0200
Subject: [PATCH] Add security to local directory setup

---
 backend/main.go           | 2 +-
 backend/setup_data_dir.go | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/backend/main.go b/backend/main.go
index fcd701c..e10f01b 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -39,7 +39,7 @@ func main() {
 	// Setup data directory
 	dataDir, err := setupDataDir()
 	if err != nil {
-		slog.Error("Cannot set data directory: %s; %w", os.Getenv("DATA_DIR"), err)
+		slog.Error("Cannot set data directory", "dir", os.Getenv("DATA_DIR"), "error", err)
 		os.Exit(1)
 	}
 
diff --git a/backend/setup_data_dir.go b/backend/setup_data_dir.go
index f947a24..40b8048 100644
--- a/backend/setup_data_dir.go
+++ b/backend/setup_data_dir.go
@@ -14,6 +14,10 @@ func setupDataDir() (string, error) {
 		dataDir = filepath.Join(".", os.Getenv("DATA_DIR"))
 	}
 
+	if !filepath.IsLocal(dataDir) {
+		return "", fmt.Errorf("directory '%s' is not valid or not local", dataDir)
+	}
+
 	if _, err := os.Stat(dataDir); os.IsNotExist(err) {
 		err := os.Mkdir(dataDir, 0o755)
 		if err != nil {