From 187bd73355a9ca2d64a7faefa472b286dc94c027 Mon Sep 17 00:00:00 2001
From: Wen Jie Seow <35338681+seowwj@users.noreply.github.com>
Date: Sun, 29 Sep 2024 13:49:05 +0000
Subject: [PATCH] certificate_generator/app/routes.py: fix for potential path
 manipulation

Signed-off-by: Wen Jie Seow <35338681+seowwj@users.noreply.github.com>
---
 certificate_generator/app/routes.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/certificate_generator/app/routes.py b/certificate_generator/app/routes.py
index 15e083d72..ba558aba8 100644
--- a/certificate_generator/app/routes.py
+++ b/certificate_generator/app/routes.py
@@ -40,6 +40,21 @@ def render_certificate():
         return render_template('download.html', file_name=file_name)
 
 
+def is_valid_filename(filename):
+    """
+    Check if the filename is valid
+    - Prevents directory traversal attacks (with / or ..)
+    - Only allows alphanumeric characters and dots
+
+    Args:
+    filename: str
+
+    Returns:
+    bool - whether the filename is valid (True = valid, False = invalid)
+    """
+    return filename.isalnum() or filename .replace('.', '').isalnum()
+
+
 @app.route('/download_certificate', methods=['GET'])
 def download():
     """
@@ -47,6 +62,10 @@ def download():
     """
     if request.method == "GET":
         filename = request.args.get("filename")
+        if not filename or '..' in filename or not is_valid_filename(filename):
+            return "Invalid filename", 400
         filepath = os.path.join("static/certificates/generated", filename)
+        if not os.path.isfile(filepath):
+            return "File not found", 404
         return send_file(filepath, as_attachment=True, cache_timeout=0,
                          attachment_filename=filename)