routes: Fix path joining when removing files and traverse detection

api/media/routes.mjs

@@ -199,7 +199,7 @@ export default class MediaRoutes {
 
     this.filesCacheRemove(site, ctx.params.filename)
 
-    let root = `${config.get('uploadFolder')}/${site}`
+    let root = path.join(config.get('uploadFolder'), site)
     var unlinkPath = path.join(root, decodeURIComponent(ctx.params.filename))
 
     if (unlinkPath.indexOf(root) !== 0) {

test/media/routes.test.mjs

@@ -1,4 +1,5 @@
 import fs from 'fs/promises'
+import path from 'path'
 import { Eltro as t, assert, stub } from 'eltro'
 import { HttpError } from 'flaska'
 import { createContext } from '../helper.server.mjs'
@@ -936,7 +937,7 @@ t.describe('#remove()', function() {
     assert.match(err.message, new RegExp(assertFilename))
     assert.match(err.message, new RegExp(assertErrorMessage))
 
-    assert.strictEqual(stubUnlink.firstCall[0], `./public/${assertSiteName}/${assertFilename}`)
+    assert.strictEqual(stubUnlink.firstCall[0], path.join(`./public/${assertSiteName}/`, assertFilename))
   })
 
   t.test('should otherwise return 204 status and remove from array', async function() {