From a33f3c714ee32578a9141d8ff6f66dd1bfc74f50 Mon Sep 17 00:00:00 2001
From: Pooya Parsa <pooya@pi0.io>
Date: Mon, 1 Aug 2022 12:31:21 +0200
Subject: [PATCH 1/2] fix(fs): disallow keys containing `..`

---
 src/drivers/fs.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/drivers/fs.ts b/src/drivers/fs.ts
index 68f0ef943..6e1539b1f 100644
--- a/src/drivers/fs.ts
+++ b/src/drivers/fs.ts
@@ -11,6 +11,8 @@ export interface FSStorageOptions {
   watchOptions?: WatchOptions
 }
 
+const PATH_TRAVERSE_RE = /\.\.\:|\.\.$/
+
 export default defineDriver((opts: FSStorageOptions = {}) => {
   if (!opts.base) {
     throw new Error('base is required')
@@ -24,7 +26,13 @@ export default defineDriver((opts: FSStorageOptions = {}) => {
   }
 
   opts.base = resolve(opts.base)
-  const r = (key: string) => join(opts.base!, key.replace(/:/g, '/'))
+  const r = (key: string) => {
+    if (PATH_TRAVERSE_RE.test(key)) {
+      throw new Error('[unstorage] [fs] Invalid key. It should not contain `..` segments: ' + key)
+    }
+    const resolved = join(opts.base!, key.replace(/:/g, '/'))
+    return resolved
+  }
 
   let _watcher: FSWatcher
 

From 729ecff75c1ed2fcabc45fbed32f48ab1506dc0a Mon Sep 17 00:00:00 2001
From: Pooya Parsa <pooya@pi0.io>
Date: Mon, 1 Aug 2022 12:32:13 +0200
Subject: [PATCH 2/2] chore(release): 0.4.2

---
 CHANGELOG.md | 7 +++++++
 package.json | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2354da682..d622f895e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [0.4.2](https://github.com/unjs/unstorage/compare/v0.4.1...v0.4.2) (2022-08-01)
+
+
+### Bug Fixes
+
+* **fs:** disallow keys containing `..` ([a33f3c7](https://github.com/unjs/unstorage/commit/a33f3c714ee32578a9141d8ff6f66dd1bfc74f50))
+
 ### [0.4.1](https://github.com/unjs/unstorage/compare/v0.4.0...v0.4.1) (2022-05-04)
 
 
diff --git a/package.json b/package.json
index 3b88f3677..9bdec2f3d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "unstorage",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "description": "Universal Storage Layer",
   "repository": "unjs/unstorage",
   "license": "MIT",