fix #3582: isCreatableName

src/server/models/page.js

@@ -533,6 +533,8 @@ module.exports = function(crowi) {
       /\s+\/\s+/, // avoid miss in renaming
       /.+\/edit$/,
       /.+\.md$/,
+      /^(\.\.)$/, // see: https://github.com/weseek/growi/issues/3582
+      /(\/\.\.)\/?/, // see: https://github.com/weseek/growi/issues/3582
       /^\/(installer|register|login|logout|admin|me|files|trash|paste|comments|tags|share)(\/.*|$)/,
     ];
 

src/test/models/page.test.js

@@ -193,6 +193,12 @@ describe('Page', () => {
 
       expect(Page.isCreatableName('/hoge/xx.md')).toBeFalsy();
 
+      // relative path
+      expect(Page.isCreatableName('/..')).toBeFalsy();
+      expect(Page.isCreatableName('/../page')).toBeFalsy();
+      expect(Page.isCreatableName('/page/..')).toBeFalsy();
+      expect(Page.isCreatableName('/page/../page')).toBeFalsy();
+
       // start with https?
       expect(Page.isCreatableName('/http://demo.growi.org/hoge')).toBeFalsy();
       expect(Page.isCreatableName('/https://demo.growi.org/hoge')).toBeFalsy();