From 09fa0b38f5af5a9bc8d07b1541dc21718585e697 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Fri, 17 Apr 2026 16:51:22 -0500
Subject: [PATCH] Update podcast create path validation & fix relPath

---
 server/controllers/PodcastController.js | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/server/controllers/PodcastController.js b/server/controllers/PodcastController.js
index c70287600..f099d05ed 100644
--- a/server/controllers/PodcastController.js
+++ b/server/controllers/PodcastController.js
@@ -7,7 +7,7 @@ const Database = require('../Database')
 const fs = require('../libs/fsExtra')
 
 const { getPodcastFeed, findMatchingEpisodes } = require('../utils/podcastUtils')
-const { getFileTimestampsWithIno, filePathToPOSIX } = require('../utils/fileUtils')
+const { getFileTimestampsWithIno, filePathToPOSIX, isSameOrSubPath } = require('../utils/fileUtils')
 const { validateUrl } = require('../utils/index')
 const htmlSanitizer = require('../utils/htmlSanitizer')
 
@@ -58,8 +58,18 @@ class PodcastController {
       return res.status(404).send('Folder not found')
     }
 
+    if (typeof payload.path !== 'string' || !payload.path.trim()) {
+      return res.status(400).send('Invalid request body. "path" must be a non-empty string')
+    }
+
+    const libraryFolderPath = filePathToPOSIX(folder.path)
     const podcastPath = filePathToPOSIX(payload.path)
 
+    if (!isSameOrSubPath(libraryFolderPath, podcastPath)) {
+      Logger.error(`[PodcastController] Create: Podcast path is outside library folder "${libraryFolderPath}": "${podcastPath}"`)
+      return res.status(400).send('Podcast path must be inside the selected library folder')
+    }
+
     // Check if a library item with this podcast folder exists already
     const existingLibraryItem =
       (await Database.libraryItemModel.count({
@@ -83,7 +93,7 @@ class PodcastController {
 
     const libraryItemFolderStats = await getFileTimestampsWithIno(podcastPath)
 
-    let relPath = payload.path.replace(folder.fullPath, '')
+    let relPath = podcastPath.replace(libraryFolderPath, '')
     if (relPath.startsWith('/')) relPath = relPath.slice(1)
 
     let newLibraryItem = null