Fix for Potential file inclusion attack via reading file

inter0hm · Nov 2, 2024 · 88a53cc · 88a53cc
1 parent 258e919
commit 88a53cc
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/astroidapi/attachment_processor.py b/src/astroidapi/attachment_processor.py
@@ -30,6 +30,8 @@ async def download_attachment(attachment_url, registeredPlatforms):
             await surrealdb_handler.AttachmentProcessor.create_attachment(attachment_id, status="downloading", type=attachment_type, registeredPlatforms=registeredPlatforms)
             attachment = response.content
             attachment_path = f"{pathlib.Path(__file__).parent.resolve()}/TMP_attachments/{attachment_id}.{attachment_type}"
+            if '../' in attachment_path or '..\\' in attachment_path:
+                raise Exception("Invalid file path")
             with open(attachment_path, 'wb') as file:
                 file.write(attachment)
                 file.close()