Update podcast create path validation & fix relPath

server/controllers/PodcastController.js

@@ -7,7 +7,7 @@ const Database = require('../Database')
 const fs = require('../libs/fsExtra')
 
 const { getPodcastFeed, findMatchingEpisodes } = require('../utils/podcastUtils')
-const { getFileTimestampsWithIno, filePathToPOSIX } = require('../utils/fileUtils')
+const { getFileTimestampsWithIno, filePathToPOSIX, isSameOrSubPath } = require('../utils/fileUtils')
 const { validateUrl } = require('../utils/index')
 const htmlSanitizer = require('../utils/htmlSanitizer')
 
@@ -58,8 +58,18 @@ class PodcastController {
       return res.status(404).send('Folder not found')
     }
 
+    if (typeof payload.path !== 'string' || !payload.path.trim()) {
+      return res.status(400).send('Invalid request body. "path" must be a non-empty string')
+    }
+
+    const libraryFolderPath = filePathToPOSIX(folder.path)
     const podcastPath = filePathToPOSIX(payload.path)
 
+    if (!isSameOrSubPath(libraryFolderPath, podcastPath)) {
+      Logger.error(`[PodcastController] Create: Podcast path is outside library folder "${libraryFolderPath}": "${podcastPath}"`)
+      return res.status(400).send('Podcast path must be inside the selected library folder')
+    }
+
     // Check if a library item with this podcast folder exists already
     const existingLibraryItem =
       (await Database.libraryItemModel.count({
@@ -83,7 +93,7 @@ class PodcastController {
 
     const libraryItemFolderStats = await getFileTimestampsWithIno(podcastPath)
 
-    let relPath = payload.path.replace(folder.fullPath, '')
+    let relPath = podcastPath.replace(libraryFolderPath, '')
     if (relPath.startsWith('/')) relPath = relPath.slice(1)
 
     let newLibraryItem = null