From 0f0f64527958aff15ba0f2d0db302351c2a88851 Mon Sep 17 00:00:00 2001
From: "aikido[bot]" <aikido[bot]@users.noreply.github.com>
Date: Sat, 2 Nov 2024 16:05:52 +0000
Subject: [PATCH] Fix for Potential file inclusion attack via reading file

---
 src/astroidapi/attachment_processor.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/astroidapi/attachment_processor.py b/src/astroidapi/attachment_processor.py
index 9ff6876..4d16eaa 100644
--- a/src/astroidapi/attachment_processor.py
+++ b/src/astroidapi/attachment_processor.py
@@ -30,6 +30,8 @@ async def download_attachment(attachment_url, registeredPlatforms):
             await surrealdb_handler.AttachmentProcessor.create_attachment(attachment_id, status="downloading", type=attachment_type, registeredPlatforms=registeredPlatforms)
             attachment = response.content
             attachment_path = f"{pathlib.Path(__file__).parent.resolve()}/TMP_attachments/{attachment_id}.{attachment_type}"
+            if '../' in attachment_path or '..\\' in attachment_path:
+                raise Exception("Invalid file path")
             with open(attachment_path, 'wb') as file:
                 file.write(attachment)
                 file.close()