API doesn't protect against directory traversal attack: 
