From d4506291cfd4e165bf2863e0ebc0b3f3df317a85 Mon Sep 17 00:00:00 2001
From: jxfzzzt <1160490625@qq.com>
Date: Sun, 28 Jul 2024 17:29:25 +0800
Subject: [PATCH] Fix Path Traversal issue

---
 src/libre_chat/router.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/libre_chat/router.py b/src/libre_chat/router.py
index 12c87dc..e803f64 100644
--- a/src/libre_chat/router.py
+++ b/src/libre_chat/router.py
@@ -3,6 +3,7 @@
 from dataclasses import dataclass
 from typing import Any, Dict, List, Optional, Union
 
+import werkzeug
 from fastapi import APIRouter, Body, File, HTTPException, Request, UploadFile, WebSocket
 from fastapi.responses import JSONResponse
 from langchain.callbacks.base import AsyncCallbackHandler
@@ -123,7 +124,13 @@ def upload_documents(
                 )
             for uploaded in files:
                 if uploaded.filename:  # no cov
-                    file_path = os.path.join(self.conf.vector.documents_path, uploaded.filename)
+                    file_path = werkzeug.utils.safe_join(self.conf.vector.documents_path, uploaded.filename)
+                    if file_path is None:
+                        raise HTTPException(
+                            status_code=403,
+                            detail=f"Invalid file name: {uploaded.filename}",
+                        )
+
                     with open(file_path, "wb") as file:
                         file.write(uploaded.file.read())
                     # Check if the uploaded file is a zip file