feat: Security

toju-app/src/app/domains/attachment/infrastructure/util/attachment-storage.util.ts

@@ -26,6 +26,21 @@ export function resolveAttachmentStoredFilename(attachmentId: string, filename:
     : `${sanitizedAttachmentId}${sanitizedExtension}`;
 }
 
+export function isAllowedAttachmentStoredPath(candidatePath: string, appDataPath: string): boolean {
+  const normalizedCandidate = candidatePath.trim().replace(/\\/g, '/');
+  const normalizedRoot = appDataPath.trim().replace(/\\/g, '/')
+    .replace(/\/+$/, '');
+
+  if (!normalizedCandidate.startsWith(`${normalizedRoot}/`)) {
+    return false;
+  }
+
+  const relativePath = normalizedCandidate.slice(normalizedRoot.length + 1);
+
+  return relativePath.startsWith('server/')
+    || relativePath.startsWith('direct-messages/');
+}
+
 export function resolveAttachmentStorageBucket(mime: string): 'video' | 'audio' | 'image' | 'files' {
   if (mime.startsWith('video/')) {
     return 'video';