From 75deaa8fdfc15f663aa157a7caea3b2c0efb285b Mon Sep 17 00:00:00 2001
From: Bart Koelman <104792814+bart-vmware@users.noreply.github.com>
Date: Thu, 21 May 2026 15:12:35 +0200
Subject: [PATCH] Block deleting from outside network share root

---
 .../FileSharesWeb/Controllers/FilesController.cs  | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/FileShares/src/FileSharesWeb/Controllers/FilesController.cs b/FileShares/src/FileSharesWeb/Controllers/FilesController.cs
index 957387038..65044b0bd 100644
--- a/FileShares/src/FileSharesWeb/Controllers/FilesController.cs
+++ b/FileShares/src/FileSharesWeb/Controllers/FilesController.cs
@@ -48,8 +48,17 @@ public ActionResult List()
     [HttpDelete]
     public JsonResult Delete(string fileToDelete)
     {
-        string actualFileName = HttpUtility.UrlDecode(fileToDelete);
-        SystemFile.Delete(actualFileName);
-        return Json($"Successfully deleted {actualFileName}");
+        string fileName = HttpUtility.UrlDecode(fileToDelete);
+        string shareRoot = Path.GetFullPath(fileShareConfiguration.Location);
+        string filePath = Path.GetFullPath(Path.Combine(shareRoot, fileName));
+
+        if (!filePath.StartsWith(shareRoot + '\\', StringComparison.OrdinalIgnoreCase) &&
+            !filePath.StartsWith(shareRoot + '/', StringComparison.OrdinalIgnoreCase))
+        {
+            throw new UnauthorizedAccessException("Deleting files outside the share root is not permitted.");
+        }
+
+        SystemFile.Delete(filePath);
+        return Json($"Successfully deleted {fileName}");
     }
 }