From 1191b34fd478bb11bcffa0f7f0b9f6bd4f7af6b0 Mon Sep 17 00:00:00 2001
From: "Junyan Qin (Chin)" <rockchinq@gmail.com>
Date: Fri, 26 Sep 2025 13:22:19 +0800
Subject: [PATCH] fix: CVE-2025-59835 (#1691)

---
 pkg/api/http/controller/groups/files.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/api/http/controller/groups/files.py b/pkg/api/http/controller/groups/files.py
index b3c1a3f1..c90d172e 100644
--- a/pkg/api/http/controller/groups/files.py
+++ b/pkg/api/http/controller/groups/files.py
@@ -15,6 +15,9 @@ class FilesRouterGroup(group.RouterGroup):
     async def initialize(self) -> None:
         @self.route('/image/<image_key>', methods=['GET'], auth_type=group.AuthType.NONE)
         async def _(image_key: str) -> quart.Response:
+            if '/' in image_key or '\\' in image_key:
+                return quart.Response(status=404)
+
             if not await self.ap.storage_mgr.storage_provider.exists(image_key):
                 return quart.Response(status=404)
 
@@ -36,6 +39,10 @@ class FilesRouterGroup(group.RouterGroup):
             extension = file.filename.split('.')[-1]
             file_name = file.filename.split('.')[0]
 
+            # check if file name contains '/' or '\'
+            if '/' in file_name or '\\' in file_name:
+                return self.fail(400, 'File name contains invalid characters')
+
             file_key = file_name + '_' + str(uuid.uuid4())[:8] + '.' + extension
             # save file to storage
             await self.ap.storage_mgr.storage_provider.save(file_key, file_bytes)