From 5266d170a3746044dadf98f9ba4bf09c7a6edba4 Mon Sep 17 00:00:00 2001 From: VectorPeak <73048950+VectorPeak@users.noreply.github.com> Date: Wed, 24 Jun 2026 15:55:01 +0800 Subject: [PATCH] fix: prevent path traversal vulnerability in knowledge base upload filenames (#8971) --- astrbot/dashboard/services/knowledge_base_service.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/astrbot/dashboard/services/knowledge_base_service.py b/astrbot/dashboard/services/knowledge_base_service.py index ad2121c9a..c7f954641 100644 --- a/astrbot/dashboard/services/knowledge_base_service.py +++ b/astrbot/dashboard/services/knowledge_base_service.py @@ -495,7 +495,9 @@ class KnowledgeBaseService: files_to_upload = [] for file in file_list: - file_name = file.filename + file_name = Path(str(file.filename or "document").replace("\\", "/")).name + if file_name in {"", ".", ".."}: + file_name = "document" temp_file_path = ( Path(get_astrbot_temp_path()) / f"kb_upload_{uuid.uuid4()}_{file_name}" )