From 2c146aff74bac427f0a4921971d8472097410bdf Mon Sep 17 00:00:00 2001
From: liunux4odoo <41217877+liunux4odoo@users.noreply.github.com>
Date: Tue, 14 May 2024 09:46:19 +0800
Subject: [PATCH] path traversal bug in api /knowledge_base/download_doc(#4008)
 (#4009)

close #4008
---
 server/knowledge_base/utils.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/knowledge_base/utils.py b/server/knowledge_base/utils.py
index f2ddbfd0..b6772cd2 100644
--- a/server/knowledge_base/utils.py
+++ b/server/knowledge_base/utils.py
@@ -42,7 +42,10 @@ def get_vs_path(knowledge_base_name: str, vector_name: str):
 
 
 def get_file_path(knowledge_base_name: str, doc_name: str):
-    return os.path.join(get_doc_path(knowledge_base_name), doc_name)
+    doc_path = Path(get_doc_path(knowledge_base_name))
+    file_path = doc_path / doc_name
+    if file_path.is_relative_to(doc_path):
+        return str(file_path)
 
 
 def list_kbs_from_folder():