add filename check to pass CodeQL check

Areedd · Dec 28, 2024 · 583a8b0 · 583a8b0
1 parent 0404dfc
commit 583a8b0
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/WEBtool/phishpedia_web.py b/WEBtool/phishpedia_web.py
@@ -35,6 +35,12 @@ def upload_file():
 
     if file and allowed_file(file.filename):
         filename = file.filename
+        if filename.count('.') > 1:
+            return jsonify({'error': 'Invalid file name'}), 400
+        elif any(sep in filename for sep in (os.sep, os.altsep)):
+            return jsonify({'error': 'Invalid file name'}), 400
+        elif '..' in filename:
+            return jsonify({'error': 'Invalid file name'}), 400
         file_path = os.path.join(app.config['UPLOAD_FOLDER'], filename)
         file_path = os.path.normpath(file_path)
         file.save(file_path)