Secure filename

cavenel · Dec 4, 2023 · 30cb4ff · 30cb4ff
1 parent 2a39d2d
commit 30cb4ff
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/tissuumaps/views.py b/tissuumaps/views.py
@@ -45,6 +45,7 @@
     guess_schema_version,
 )
 from werkzeug.exceptions import MethodNotAllowed, NotFound
+from werkzeug.utils import secure_filename
 from werkzeug.routing import RequestRedirect
 
 from tissuumaps import app, read_h5ad
@@ -865,7 +866,13 @@ def h5ad_csv(path, type, filename, ext):
         # Directory traversal
         abort(404)
         return
-    filename = unquote(filename)
+    if type not in ["obs", "var", "uns"]:
+        abort(404)
+        return
+    if ext not in ["h5ad", "adata"]:
+        abort(404)
+        return
+    filename = secure_filename(unquote(filename))
     csvPath = f"{completePath}_files/csv/{type}/{filename}.csv"
     generate_csv = True
     if os.path.isfile(csvPath):