From 4cda3bf99ade318eaca3c26235c787446c633ae2 Mon Sep 17 00:00:00 2001
From: Ethan Silvas <ethansilvas@protectai.com>
Date: Sun, 20 Oct 2024 14:31:06 -0700
Subject: [PATCH] sanitize filenames for AFO on file upload/delete

---
 backend/server/server_utils.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/server/server_utils.py b/backend/server/server_utils.py
index 0c6af9ef5..4bd23f0bc 100644
--- a/backend/server/server_utils.py
+++ b/backend/server/server_utils.py
@@ -79,7 +79,7 @@ def update_environment_variables(config: Dict[str, str]):
 
 
 async def handle_file_upload(file, DOC_PATH: str) -> Dict[str, str]:
-    file_path = os.path.join(DOC_PATH, file.filename)
+    file_path = os.path.join(DOC_PATH, os.path.basename(file.filename))
     with open(file_path, "wb") as buffer:
         shutil.copyfileobj(file.file, buffer)
     print(f"File uploaded to {file_path}")
@@ -91,7 +91,7 @@ async def handle_file_upload(file, DOC_PATH: str) -> Dict[str, str]:
 
 
 async def handle_file_deletion(filename: str, DOC_PATH: str) -> JSONResponse:
-    file_path = os.path.join(DOC_PATH, filename)
+    file_path = os.path.join(DOC_PATH, os.path.basename(filename))
     if os.path.exists(file_path):
         os.remove(file_path)
         print(f"File deleted: {file_path}")