fix(delete-apis): fix vulnerability for user controlled path

AntaresSimulatorTeam · Jun 24, 2024 · 69735d1 · 69735d1
1 parent f6815d7
commit 69735d1
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/antarest/study/service.py b/antarest/study/service.py
@@ -9,6 +9,7 @@
 import time
 import typing as t
 from datetime import datetime, timedelta
+from os.path import abspath
 from pathlib import Path, PurePosixPath
 from uuid import uuid4
 
@@ -1188,12 +1189,12 @@ def download_outputs(
         """
         Download outputs
         Args:
-            study_id: study Id
-            output_id: output id
+            study_id: study ID
+            output_id: output ID
             data: Json parameters
             use_task: use task or not
             filetype: type of returning file,
-            tmp_export_file: temporary file (if use_task is false),
+            tmp_export_file: temporary file (if `use_task` is false),
             params: request parameters
 
         Returns: CSV content file
@@ -1276,7 +1277,7 @@ def export_task(notifier: TaskUpdateNotifier) -> TaskResult:
                 else:  # pragma: no cover
                     raise NotImplementedError(f"Export format {filetype} is not supported")
 
-                return FileResponse(tmp_export_file, headers=headers, media_type=filetype)
+                return FileResponse(Path(abspath(tmp_export_file)), headers=headers, media_type=filetype)
 
             else:
                 json_response = json.dumps(