From 583a8b0e64458ff8975b8db159252b5cceafe753 Mon Sep 17 00:00:00 2001
From: Weiyu-Kong <1625827540@qq.com>
Date: Sat, 28 Dec 2024 17:08:33 +0800
Subject: [PATCH] add filename check to pass CodeQL check

---
 WEBtool/phishpedia_web.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/WEBtool/phishpedia_web.py b/WEBtool/phishpedia_web.py
index 95d4ed4..d684c83 100644
--- a/WEBtool/phishpedia_web.py
+++ b/WEBtool/phishpedia_web.py
@@ -35,6 +35,12 @@ def upload_file():
 
     if file and allowed_file(file.filename):
         filename = file.filename
+        if filename.count('.') > 1:
+            return jsonify({'error': 'Invalid file name'}), 400
+        elif any(sep in filename for sep in (os.sep, os.altsep)):
+            return jsonify({'error': 'Invalid file name'}), 400
+        elif '..' in filename:
+            return jsonify({'error': 'Invalid file name'}), 400
         file_path = os.path.join(app.config['UPLOAD_FOLDER'], filename)
         file_path = os.path.normpath(file_path)
         file.save(file_path)