fix: 🐛 Solve security alerts

wizarrrr · Jul 31, 2024 · c719c29 · c719c29
1 parent e6e9d68
commit c719c29
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/apps/wizarr-backend/wizarr_backend/api/routes/image_api.py b/apps/wizarr-backend/wizarr_backend/api/routes/image_api.py
@@ -60,6 +60,9 @@ class ImageAPI(Resource):
     @api.response(500, "Internal server error")
     def get(self, filename):
         """Get image"""
+        # Sanitize the filename to avoid directory traversal
+        filename = secure_filename(filename)
+
         # Assuming images are stored in a directory specified by UPLOAD_FOLDER config
         upload_folder = current_app.config['UPLOAD_FOLDER']
         image_path = os.path.join(upload_folder, filename)
@@ -74,6 +77,9 @@ def get(self, filename):
     @api.response(500, "Internal server error")
     def delete(self, filename):
         """Delete image"""
+        # Sanitize the filename to avoid directory traversal
+        filename = secure_filename(filename)
+
         upload_folder = current_app.config['UPLOAD_FOLDER']
         image_path = os.path.join(upload_folder, filename)