In a jobs workspace browser, there is a input field, which allows unwanted acccess to content outside of the workspace. For example, one can enter "../config.xml" and it will return the job's config. Other combinations of "../../../../" end up redirecting to bogus urls, like "http://127.0.0.1:11111null/".

Additional checks need to be made before performing any file resolution or url redirection that the target file is actually under the workspace currently being browsed.

There is a potential security hazard here, if the input field resolves to an actual file which is outside of the workspace.