From 558f00a5a414ef720f09c9a300ee03fd5b4701be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=B6=B5=E6=9B=A6?= <im.hanxi@gmail.com>
Date: Tue, 17 Dec 2024 08:41:26 +0800
Subject: [PATCH] Fix code scanning alert no. 38: Uncontrolled data used in
 path expression (#317)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 xiaomusic/utils.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/xiaomusic/utils.py b/xiaomusic/utils.py
index 66f1671..7f398b4 100644
--- a/xiaomusic/utils.py
+++ b/xiaomusic/utils.py
@@ -1080,6 +1080,10 @@ async def download_and_extract(url: str, target_directory: str):
         async with session.get(url) as response:
             if response.status == 200:
                 file_name = os.path.join(target_directory, url.split("/")[-1])
+                file_name = os.path.normpath(file_name)
+                if not file_name.startswith(target_directory):
+                    log.warning(f"Invalid file path: {file_name}")
+                    return
                 with open(file_name, "wb") as f:
                     # 以块的方式下载文件，防止内存占用过大
                     async for chunk in response.content.iter_any():