By pass security check: do not allow ../ in path

[novysodope]

Check

• I have already read Docs page
• I have already searched existing issues

Feature Request

When browsing the project code, I found a vulnerability fix for arbitrary file reading:

security check: do not allow ../ in path

After a brief thought, I found that this safety check is incomplete,that is to say, I can bypass here

In windows, I can use ..\ bypass:

{% include_code ..\..\..\..\..\..\..\..\..\..\..\test.txt %}

The Linux file system does not support reading backslashes, theoretically it can be read through ..\/..\/..\/..\/..\/etc/passwd,but I did not verify successfully on Linux. This operation was only verified successfully in the Windows environment.

So my suggestion is not only to do not allow ../ in path, also to do not allow ..\ in path, or change ../ to .. , file

[stevenjoezhang]

I agree that include_code should only encompass files within the Hexo workspace. Otherwise, malicious attackers might manipulate users into revealing sensitive files from the disk through relative paths.