From d6767327e8324619ecfcc9447c87795c5c60a6dd Mon Sep 17 00:00:00 2001
From: bigjakk <cjackson@jacksonchris.com>
Date: Fri, 10 Apr 2026 13:19:54 -0700
Subject: [PATCH] fix: prevent path traversal in theme and background loading

---
 src/main/css-themes.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/main/css-themes.ts b/src/main/css-themes.ts
index 84536c8..a6569d1 100644
--- a/src/main/css-themes.ts
+++ b/src/main/css-themes.ts
@@ -32,7 +32,8 @@ export function getThemeCSS(themeId: string, swapDir: string): string {
     if (themeId === 'disabled' || !themeId) return '';
     const prefix = 'user:';
     if (!themeId.startsWith(prefix)) return '';
-    const filename = themeId.slice(prefix.length);
+    const filename = basename(themeId.slice(prefix.length));
+    if (!filename) return '';
     try {
         return readFileSync(join(swapDir, 'themes', filename), 'utf-8');
     } catch { return ''; }
@@ -106,7 +107,8 @@ export function getLoadingScreenCSS(loadingTheme: string, backgroundUrl: string,
                 } catch { /* read failed */ }
             }
         } else if (loadingTheme.startsWith('swap:')) {
-            const filename = loadingTheme.slice(5);
+            const filename = basename(loadingTheme.slice(5));
+            if (!filename) return '';
             try {
                 imageUrl = `url(${fileToDataUri(join(bgDir, filename))})`;
             } catch { /* read failed */ }