fix: prevent path traversal vulnerability in knowledge base upload filenames (#8971)

This commit is contained in:
VectorPeak
2026-06-24 15:55:01 +08:00
committed by GitHub
parent ae29a7eaf9
commit 5266d170a3

View File

@@ -495,7 +495,9 @@ class KnowledgeBaseService:
files_to_upload = []
for file in file_list:
file_name = file.filename
file_name = Path(str(file.filename or "document").replace("\\", "/")).name
if file_name in {"", ".", ".."}:
file_name = "document"
temp_file_path = (
Path(get_astrbot_temp_path()) / f"kb_upload_{uuid.uuid4()}_{file_name}"
)