relation_engine_server/utils/spec_loader.py takes user input and uses it to fetch files from the spec directory. Relative paths (using ../../) are allowed by the spec loader, with no protection against paths that aren't in the spec directory. Ensure that the spec loader does not permit files outside the spec directory (or whatever is configured as the place where spec files are stored) to be fetched.
relation_engine_server/utils/spec_loader.pytakes user input and uses it to fetch files from thespecdirectory. Relative paths (using../../) are allowed by the spec loader, with no protection against paths that aren't in thespecdirectory. Ensure that the spec loader does not permit files outside thespecdirectory (or whatever is configured as the place where spec files are stored) to be fetched.