ctlsock: interpret paths that point above CWD as ""

Paths that start with ".." were previously accepted as-is.

internal/ctlsock/sanitize.go

@@ -2,19 +2,29 @@ package ctlsock
 
 import (
 	"path/filepath"
+	"strings"
 )
 
 // SanitizePath adapts filepath.Clean for FUSE paths.
-// 1) It always returns a relative path
+// 1) A leading slash is dropped
 // 2) It returns "" instead of "."
+// 3) If the cleaned path points above CWD (start with ".."), an empty string
+//    is returned
 // See the TestSanitizePath testcases for examples.
 func SanitizePath(path string) string {
-	clean := filepath.Clean(path)
+	if len(path) == 0 {
-	if clean == "." || clean == "/" {
 		return ""
 	}
-	if clean[0] == '/' {
+	// Drop leading slash
-		clean = clean[1:]
+	if path[0] == '/' {
+		path = path[1:]
+	}
+	clean := filepath.Clean(path)
+	if clean == "." {
+		return ""
+	}
+	if clean == ".." || strings.HasPrefix(clean, "../") {
+		return ""
 	}
 	return clean
 }

internal/ctlsock/sanitize_test.go

@@ -15,6 +15,10 @@ func TestSanitizePath(t *testing.T) {
 		{"/foo/", "foo"},
 		{"/foo/./foo", "foo/foo"},
 		{"./", ""},
+		{"..", ""},
+		{"foo/../..", ""},
+		{"foo/../../aaaaaa", ""},
+		{"/foo/../../aaaaaa", ""},
 	}
 	for _, tc := range testCases {
 		res := SanitizePath(tc[0])