Sanitise inputs for 'gather_upstream_files'

tieneupin · tieneupin · commit b77fb7619ec8 · 2025-10-23T12:05:55.000+01:00
diff --git a/src/murfey/instrument_server/api.py b/src/murfey/instrument_server/api.py
@@ -487,11 +487,21 @@ def gather_upstream_files(
     """
     # Check for forbidden characters
     if any(c in visit_name for c in ("/", "\\", ":", ";")):
-        logger.error(f"Forbidden characters are present in the visit name {visit_name}")
+        logger.error(
+            f"Forbidden characters are present in visit name {sanitise(visit_name)}"
+        )
         return {
             "succss": False,
             "detail": "Forbidden characters present in visit name",
         }
+
+    # Sanitise inputs
+    download_dir = Path(sanitise(str(upstream_file_download.download_dir)))
+    upstream_instrument = sanitise(upstream_file_download.upstream_instrument)
+    upstream_visit_path = Path(
+        sanitise(str(upstream_file_download.upstream_visit_path))
+    )
+
     # Get the list of files to download
     murfey_url = urlparse(_get_murfey_url(), allow_fragments=False)
     sanitised_visit_name = sanitise_nonpath(visit_name)
@@ -505,13 +515,13 @@ def gather_upstream_files(
         f"{murfey_url.geturl()}{url_path}",
         headers={"Authorization": f"Bearer {tokens[session_id]}"},
         json={
-            "upstream_instrument": upstream_file_download.upstream_instrument,
-            "upstream_visit_path": str(upstream_file_download.upstream_visit_path),
+            "upstream_instrument": upstream_instrument,
+            "upstream_visit_path": str(upstream_visit_path),
         },
     ).json()
 
     # Make the download directory and download gathered files
-    upstream_file_download.download_dir.mkdir(exist_ok=True)
+    download_dir.mkdir(exist_ok=True)
     for upstream_file in upstream_files:
         url_path = url_path_for(
             "session_control.correlative_router",
@@ -526,9 +536,9 @@ def gather_upstream_files(
             stream=True,
         )
         upstream_file_relative_path = Path(upstream_file).relative_to(
-            upstream_file_download.upstream_visit_path
+            upstream_visit_path
         )
-        save_file = upstream_file_download.download_dir / upstream_file_relative_path
+        save_file = download_dir / upstream_file_relative_path
         save_file.parent.mkdir(parents=True, exist_ok=True)
         with open(save_file, "wb") as f:
             for chunk in file_data.iter_content(chunk_size=32 * 1024**2):
