fix: reject path separators in embedded filenames

Signed-off-by: Stephen Crowe <6042774+crowecawcaw@users.noreply.github.com>

Author: crowecawcaw

src/openjd/model/v2023_09/_model.py

@@ -509,6 +509,10 @@ def _validate_name(cls, v: str, info: ValidationInfo) -> str:
     def _validate_filename(cls, v: Optional[Filename], info: ValidationInfo) -> Optional[Filename]:
         if v is None:
             return v
+        if "/" in v or "\\" in v:
+            raise ValueError(
+                "filename must be a basename only and cannot contain path separators ('/' or '\\\\')"
+            )
         context = cast(Optional[ModelParsingContext], info.context)
         max_len = 256 if context and "FEATURE_BUNDLE_1" in context.extensions else 64
         if len(v) > max_len:

test/openjd/model/v2023_09/test_embedded.py

@@ -63,7 +63,14 @@ def test_parse_success(self, data: dict[str, Any]) -> None:
                 {"name": "foo", "type": "TEXT", "data": "some text", "runnable": "True"},
                 id="runnable must be bool",
             ),
-            # TODO - tests for filename allowed characters
+            pytest.param(
+                {"name": "foo", "type": "TEXT", "data": "some text", "filename": "dir/file.txt"},
+                id="filename with forward slash",
+            ),
+            pytest.param(
+                {"name": "foo", "type": "TEXT", "data": "some text", "filename": "dir\\file.txt"},
+                id="filename with backslash",
+            ),
         ),
     )
     def test_parse_fails(self, data: dict[str, Any]) -> None: