File tree Expand file tree Collapse file tree 1 file changed +19
-0
lines changed
certificate_generator/app Expand file tree Collapse file tree 1 file changed +19
-0
lines changed Original file line number Diff line number Diff line change @@ -40,13 +40,32 @@ def render_certificate():
4040 return render_template ('download.html' , file_name = file_name )
4141
4242
43+ def is_valid_filename (filename ):
44+ """
45+ Check if the filename is valid
46+ - Prevents directory traversal attacks (with / or ..)
47+ - Only allows alphanumeric characters and dots
48+
49+ Args:
50+ filename: str
51+
52+ Returns:
53+ bool - whether the filename is valid (True = valid, False = invalid)
54+ """
55+ return filename .isalnum () or filename .replace ('.' , '' ).isalnum ()
56+
57+
4358@app .route ('/download_certificate' , methods = ['GET' ])
4459def download ():
4560 """
4661 Download the generated certificate
4762 """
4863 if request .method == "GET" :
4964 filename = request .args .get ("filename" )
65+ if not filename or '..' in filename or not is_valid_filename (filename ):
66+ return "Invalid filename" , 400
5067 filepath = os .path .join ("static/certificates/generated" , filename )
68+ if not os .path .isfile (filepath ):
69+ return "File not found" , 404
5170 return send_file (filepath , as_attachment = True , cache_timeout = 0 ,
5271 attachment_filename = filename )
You can’t perform that action at this time.
0 commit comments