geopython
diff --git a/‎pygeoapi/provider/filesystem.py‎
Lines changed: 9 additions & 2 deletions b/‎pygeoapi/provider/filesystem.py‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎tests/provider/test_filesystem_provider.py‎
Lines changed: 5 additions & 1 deletion b/‎tests/provider/test_filesystem_provider.py‎
Lines changed: 5 additions & 1 deletion
@@ -2,7 +2,7 @@
 #
 # Authors: Tom Kralidis <tomkralidis@gmail.com>
 #
-# Copyright (c) 2023 Tom Kralidis
+# Copyright (c) 2026 Tom Kralidis
 #
 # Permission is hereby granted, free of charge, to any person
 # obtaining a copy of this software and associated documentation
@@ -34,6 +34,7 @@
 import os
 
 from pygeoapi.provider.base import (BaseProvider, ProviderConnectionError,
+                                    ProviderInvalidQueryError,
                                     ProviderNotFoundError)
 from pygeoapi.util import file_modified_iso8601, get_path_basename, url_join
 
@@ -76,9 +77,15 @@ def get_data_path(self, baseurl, urlpath, dirpath):
         root_link = None
         child_links = []
 
-        data_path = os.path.join(self.data, dirpath)
+        if '..' in dirpath:
+            msg = f'Invalid path requested'
+            LOGGER.error(f'{msg}: {dirpath}')
+            raise ProviderInvalidQueryError(msg)
+
         data_path = self.data + dirpath
 
+        LOGGER.debug(f'Data path: {data_path}')
+
         if '/' not in dirpath:  # root
             root_link = baseurl
         else:
 
@@ -2,7 +2,7 @@
 #
 # Authors: Tom Kralidis <tomkralidis@gmail.com>
 #
-# Copyright (c) 2021 Tom Kralidis
+# Copyright (c) 2026 Tom Kralidis
 #
 # Permission is hereby granted, free of charge, to any person
 # obtaining a copy of this software and associated documentation
@@ -30,6 +30,7 @@
 import os
 import pytest
 
+from pygeoapi.provider.base import ProviderInvalidQueryError
 from pygeoapi.provider.filesystem import FileSystemProvider
 
 THISDIR = os.path.dirname(os.path.realpath(__file__))
@@ -73,3 +74,6 @@ def test_query(config):
         'osm_id': 'int'
     }
     assert r['assets']['default']['href'] == 'http://example.org/stac/poi_portugal.gpkg'  # noqa
+
+    with pytest.raises(ProviderInvalidQueryError):
+        _ = p.get_data_path(baseurl, urlpath, '../../poi_portugal')
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`#`
`3`	`3`	`# Authors: Tom Kralidis <tomkralidis@gmail.com>`
`4`	`4`	`#`
`5`		`-# Copyright (c) 2021 Tom Kralidis`
	`5`	`+# Copyright (c) 2026 Tom Kralidis`
`6`	`6`	`#`
`7`	`7`	`# Permission is hereby granted, free of charge, to any person`
`8`	`8`	`# obtaining a copy of this software and associated documentation`
`@@ -30,6 +30,7 @@`
`30`	`30`	`import os`
`31`	`31`	`import pytest`
`32`	`32`
	`33`	`+from pygeoapi.provider.base import ProviderInvalidQueryError`
`33`	`34`	`from pygeoapi.provider.filesystem import FileSystemProvider`
`34`	`35`
`35`	`36`	`THISDIR = os.path.dirname(os.path.realpath(__file__))`
`@@ -73,3 +74,6 @@ def test_query(config):`
`73`	`74`	`'osm_id': 'int'`
`74`	`75`	`}`
`75`	`76`	`assert r['assets']['default']['href'] == 'http://example.org/stac/poi_portugal.gpkg' # noqa`
	`77`	`+`
	`78`	`+ with pytest.raises(ProviderInvalidQueryError):`
	`79`	`+ _ = p.get_data_path(baseurl, urlpath, '../../poi_portugal')`