diff --git a/posimai-dev/server.js b/posimai-dev/server.js
index 84106243..99b5d85f 100644
--- a/posimai-dev/server.js
+++ b/posimai-dev/server.js
@@ -73,6 +73,7 @@ app.get('/api/sessions', requireLocal, (req, res) => {
 // セッション内容 API
 app.get('/api/sessions/:id', requireLocal, (req, res) => {
   const file = path.join(SESSIONS_DIR, req.params.id + '.log');
+  if (!file.startsWith(SESSIONS_DIR + path.sep)) return res.status(400).json({ error: 'invalid' });
   if (!fs.existsSync(file)) return res.status(404).json({ error: 'not found' });
   res.type('text/plain').send(fs.readFileSync(file, 'utf8'));
 });