From 0c81469566d61172e888c3367d7415b174fab60b Mon Sep 17 00:00:00 2001
From: roboogg133 <Luizfernandojoaquimdasilva@proton.me>
Date: Wed, 20 Aug 2025 15:33:12 -0300
Subject: [PATCH] missed return in mkdir function

---
 internal/internal.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/internal/internal.go b/internal/internal.go
index 91bbf5f..d6d4757 100644
--- a/internal/internal.go
+++ b/internal/internal.go
@@ -443,11 +443,13 @@ func LMkdir(L *lua.LState) int {
 	if !IsSafe(path) {
 		L.Push(lua.LFalse)
 		L.Push(lua.LString("[packets] unsafe filepath\n"))
+		return 2
 	}
 
 	if err := os.MkdirAll(path, os.FileMode(perm)); err != nil {
 		L.Push(lua.LFalse)
 		L.Push(lua.LString("[packets] mkdir failed\n" + err.Error()))
+		return 2
 	}
 
 	L.Push(lua.LTrue)
@@ -462,13 +464,16 @@ func LuaCompile(L *lua.LState) int {
 
 		if strings.Contains(L.CheckString(i), "/") {
 
-			tryintoacess, err := filepath.Abs(filepath.Clean(L.CheckString(i)))
+			tryintoacess, err := filepath.Abs(filepath.Clean(filepath.Join(SandboxDir, L.CheckString(i))))
 			if err != nil {
 				L.Push(lua.LFalse)
 				L.Push(lua.LString("[packets] invalid filepath\n" + err.Error()))
 				return 2
 			}
-			if !strings.HasPrefix(tryintoacess, SandboxDir) {
+
+			fmt.Printf("sandboxdir: (%s) acessto: (%s)\n", SandboxDir, tryintoacess)
+			rel, err := filepath.Rel(SandboxDir, tryintoacess)
+			if err != nil || strings.HasPrefix(rel, "..") {
 				L.Push(lua.LFalse)
 				L.Push(lua.LString("[packets] unsafe filepath"))
 				return 2