GitHub/xiaomusic
1
0
Fork 0
mirror of https://github.com/hanxi/xiaomusic.git synced 2026-03-15 08:13:16 +08:00
Code Packages Releases Activity

Fix code scanning alert no. 38: Uncontrolled data used in path expression (#317)

Browse Source 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This commit is contained in:
涵曦
2024-12-17 08:41:26 +08:00
committed by GitHub
parent 78bf7d30f5
commit 558f00a5a4
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
xiaomusic/utils.py
View File

@@ -1080,6 +1080,10 @@ async def download_and_extract(url: str, target_directory: str):
async with session.get(url) as response:
if response.status == 200:
file_name = os.path.join(target_directory, url.split("/")[-1])
file_name = os.path.normpath(file_name)
if not file_name.startswith(target_directory):
log.warning(f"Invalid file path: {file_name}")
return
with open(file_name, "wb") as f:
# 以块的方式下载文件,防止内存占用过大
async for chunk in response.content.iter_any():