Update python sdk to strip any directory traversal in filename (#22965)

* update python sdk Strip any directory traversal * rebased * update samples, docs * fallback case --------- Co-authored-by: Pavel Slabko <slabkopg@gmail.com>
2026-02-14 00:57:57 +08:00
parent a8ccfad285
commit 73dcdd6976
7 changed files with 21 additions and 7 deletions
--- a/samples/client/echo_api/python/openapi_client/api_client.py
+++ b/samples/client/echo_api/python/openapi_client/api_client.py
@@ -708,7 +708,9 @@ class ApiClient:
                content_disposition
            )
            assert m is not None, "Unexpected 'content-disposition' header value"
-            filename = m.group(1)
+            filename = os.path.basename(m.group(1))  # Strip any directory traversal
+            if filename in ("", ".", ".."):  # fall back to tmp filename
+                filename = os.path.basename(path)
            path = os.path.join(os.path.dirname(path), filename)

        with open(path, "wb") as f: