fix: Deep is_parent was wrong and could be escapped (#1801)

* fix: Deep is_parent was wrong and could be escapped

* Update lib.rs

backend/src/procedure/js_scripts.rs

@@ -418,3 +418,46 @@ async fn js_action_test_deep_dir() {
         .unwrap()
         .unwrap();
 }
+#[tokio::test]
+async fn js_action_test_deep_dir_escape() {
+    let js_action = JsProcedure { args: vec![] };
+    let path: PathBuf = "test/js_action_execute/"
+        .parse::<PathBuf>()
+        .unwrap()
+        .canonicalize()
+        .unwrap();
+    let package_id = "test-package".parse().unwrap();
+    let package_version: Version = "0.3.0.3".parse().unwrap();
+    let name = ProcedureName::Action("test-deep-dir-escape".parse().unwrap());
+    let volumes: Volumes = serde_json::from_value(serde_json::json!({
+        "main": {
+            "type": "data"
+        },
+        "compat": {
+            "type": "assets"
+        },
+        "filebrowser" :{
+            "package-id": "filebrowser",
+            "path": "data",
+            "readonly": true,
+            "type": "pointer",
+            "volume-id": "main",
+        }
+    }))
+    .unwrap();
+    let input: Option<serde_json::Value> = None;
+    let timeout = Some(Duration::from_secs(10));
+    js_action
+        .execute::<serde_json::Value, serde_json::Value>(
+            &path,
+            &package_id,
+            &package_version,
+            name,
+            &volumes,
+            input,
+            timeout,
+        )
+        .await
+        .unwrap()
+        .unwrap();
+}

backend/src/util/http_reader.rs

@@ -345,7 +345,7 @@ async fn s9pk_test() {
     let http_url = Url::parse("https://github.com/Start9Labs/hello-world-wrapper/releases/download/v0.3.0/hello-world.s9pk").unwrap();
 
     println!("Getting this resource: {}", http_url);
-    let mut test_reader =
+    let test_reader =
         BufReader::with_capacity(1024 * 1024, HttpReader::new(http_url).await.unwrap());
 
     let mut s9pk = crate::s9pk::reader::S9pkReader::from_reader(test_reader, true)