From efd3500dacbef6f28e9463ff9601a0deb42c6400 Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@eeqj.de>
Date: Fri, 20 Feb 2026 03:33:19 -0800
Subject: [PATCH] fix: HandleVolumeAdd validates host and container paths
 (closes #107)

---
 internal/handlers/app.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/internal/handlers/app.go b/internal/handlers/app.go
index 54b72bc..28382de 100644
--- a/internal/handlers/app.go
+++ b/internal/handlers/app.go
@@ -1022,6 +1022,14 @@ func (h *Handlers) HandleVolumeAdd() http.HandlerFunc {
 			return
 		}
 
+		pathErr := validateVolumePaths(hostPath, containerPath)
+		if pathErr != nil {
+			h.log.Error("invalid volume path", "error", pathErr)
+			http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
+
+			return
+		}
+
 		volume := models.NewVolume(h.db)
 		volume.AppID = application.ID
 		volume.HostPath = hostPath