We should keep and restrict all the data for any datapackage under the corresponding bitstore key (dir), in the subkeys (subdirs/files). So that malicious or careless user, uploading a datapackage resource will not ever overwrite any other datapackage's data or metadata.
To achieve that we should forbid resource paths to refer to parent-directory with double-dots../. On the client it could be checked during the datapackage validation.
We should keep and restrict all the data for any datapackage under the corresponding bitstore key (dir), in the subkeys (subdirs/files). So that malicious or careless user, uploading a datapackage resource will not ever overwrite any other datapackage's data or metadata. To achieve that we should forbid resource paths to refer to parent-directory with double-dots
../
. On the client it could be checked during the datapackage validation.See also the same server side restriction: https://github.com/frictionlessdata/dpr-api/issues/189