Prevent invalid root paths

kittens/ssh/options/definition.py

@@ -26,9 +26,10 @@ against is the hostname used by the remote computer, not the name you pass
 to SSH to connect to it.
 ''')
 
-opt('remote_dir', '.local/share/kitty-ssh-kitten', long_text='''
+opt('remote_dir', '.local/share/kitty-ssh-kitten', option_type='relative_dir', long_text='''
 The location on the remote computer where the files needed for this kitten
-are installed. The location is relative to the HOME directory for relative paths.
+are installed. The location is relative to the HOME directory. Absolute paths or paths
+that resolve to a location outside the HOME are not allowed.
 ''')
 
 opt('shell_integration', 'inherit', long_text='''

kittens/ssh/options/utils.py

@@ -2,11 +2,22 @@
 # License: GPLv3 Copyright: 2022, Kovid Goyal <kovid at kovidgoyal.net>
 
 from typing import Any, Dict, Optional, Iterable, Tuple
+import posixpath
 
 
 DELETE_ENV_VAR = '_delete_this_env_var_'
 
 
+def relative_dir(val: str) -> str:
+    if posixpath.isabs(val):
+        raise ValueError(f'Absolute paths not allowed. {val} is invalid.')
+    base = '/ffjdg'
+    q = posixpath.normpath(posixpath.join(base, val))
+    if q == base or not q.startswith(base):
+        raise ValueError(f'Paths that escape their parent dir are not allowed. {val} is not valid')
+    return posixpath.normpath(val)
+
+
 def env(val: str, current_val: Dict[str, str]) -> Iterable[Tuple[str, str]]:
     val = val.strip()
     if val: