sanitize the log filename

* do not allow path separator

Author: sandboxcoder

obs-studio-server/source/nodeobs_api.cpp

@@ -835,6 +835,17 @@ void addModulePaths()
 #endif
 }
 
+std::filesystem::path sanitize_path(const std::filesystem::path &input)
+{
+	std::filesystem::path normalized = input.lexically_normal();
+
+	if (normalized.is_absolute() || normalized.string().find("..") != std::string::npos) {
+		throw std::runtime_error("Invalid path");
+	}
+
+	return normalized;
+}
+
 static void listEncoders(obs_encoder_type type)
 {
 	constexpr uint32_t hide_flags = OBS_ENCODER_CAP_DEPRECATED | OBS_ENCODER_CAP_INTERNAL;
@@ -881,7 +892,7 @@ void OBS_API::OBS_API_initAPI(void *data, const int64_t id, const std::vector<ip
 		if (logPath.size() > 0) {
 			// Parse the log filename
 			std::ostringstream ss;
-			ss << logPath << '-' << GenerateTimeDateFilename("txt");
+			ss << sanitize_path(logPath) << '-' << GenerateTimeDateFilename("txt");
 			logFilename = ss.str();
 		}
 	}