From b0c2027a1ccea6b2528570bcb5f1061819834663 Mon Sep 17 00:00:00 2001
From: Will Miao <13051207myq@gmail.com>
Date: Tue, 5 Aug 2025 07:35:19 +0800
Subject: [PATCH] feat: add path validation for model folder in
 ExampleImagesFileManager

---
 py/utils/example_images_file_manager.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/py/utils/example_images_file_manager.py b/py/utils/example_images_file_manager.py
index 504fd77f..828e7a96 100644
--- a/py/utils/example_images_file_manager.py
+++ b/py/utils/example_images_file_manager.py
@@ -43,7 +43,15 @@ class ExampleImagesFileManager:
             
             # Construct folder path for this model
             model_folder = os.path.join(example_images_path, model_hash)
-            
+            model_folder = os.path.abspath(model_folder)  # Get absolute path
+
+            # Path validation: ensure model_folder is under example_images_path
+            if not model_folder.startswith(os.path.abspath(example_images_path)):
+                return web.json_response({
+                    'success': False,
+                    'error': 'Invalid model folder path'
+                }, status=400)
+
             # Check if folder exists
             if not os.path.exists(model_folder):
                 return web.json_response({