[5.x] Prevent path traversal in file dictionary (#14272)

Author: duncanmcclean

src/Dictionaries/File.php

@@ -2,6 +2,7 @@
 
 namespace Statamic\Dictionaries;
 
+use League\Flysystem\PathTraversalDetected;
 use Statamic\Facades\Antlers;
 use Statamic\Facades\YAML;
 
@@ -55,7 +56,13 @@ protected function getItemLabel(array $item): string
 
     protected function getItems(): array
     {
-        $path = resource_path('dictionaries').'/'.$this->config['filename'];
+        $filename = $this->config['filename'];
+
+        if (str_contains($filename, '..')) {
+            throw PathTraversalDetected::forPath($filename);
+        }
+
+        $path = resource_path('dictionaries/'.$filename);
 
         if (! file_exists($path)) {
             throw new \Exception('Dictionary file ['.$path.'] does not exist.');

tests/Dictionaries/FileTest.php

@@ -2,6 +2,7 @@
 
 namespace Tests\Dictionaries;
 
+use League\Flysystem\PathTraversalDetected;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Dictionaries\File;
@@ -180,4 +181,15 @@ public function it_gets_array_from_value()
             'emoji' => '🍌',
         ], $item->data());
     }
+
+    #[Test]
+    public function path_traversal_not_allowed()
+    {
+        $this->expectException(PathTraversalDetected::class);
+        $this->expectExceptionMessage('Path traversal detected: ../secret.json');
+
+        (new File)
+            ->setConfig(['filename' => '../secret.json'])
+            ->options();
+    }
 }