fix: sanitize server-provided paths

nijel · nijel · commit 216e691c6e50 · 2026-01-15T15:04:33.000+01:00
Make sure these match expected style.
diff --git a/wlc/main.py b/wlc/main.py
@@ -21,6 +21,8 @@
 import wlc
 from wlc.config import NoOptionError, WeblateConfig, WLCConfigurationError
 
+from .utils import sanitize_slug
+
 COMMANDS: dict[str, type[Command]] = {}
 
 SORT_ORDER: list[str] = []
@@ -655,13 +657,11 @@ def download_component(self, component) -> None:
             raise CommandError("Output is needed for download!")
 
         directory = Path(self.args.output)
-        file_path = directory.joinpath(f"{component.project.slug}-{component.slug}.zip")
-
-        if not directory.exists():
-            directory.mkdir(exist_ok=True, parents=True)
-
-        with open(file_path, "wb") as file:
-            file.write(content)
+        file_path = directory / (
+            f"{sanitize_slug(component.project.slug)}-{sanitize_slug(component.slug)}.zip"
+        )
+        directory.mkdir(exist_ok=True, parents=True)
+        file_path.write_bytes(content)
 
     def download_components(self, iterable) -> None:
         for component in iterable:
diff --git a/wlc/test_utils.py b/wlc/test_utils.py
@@ -0,0 +1,21 @@
+# Copyright © Michal Čihař <michal@weblate.org>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""Utils tests."""
+
+from unittest import TestCase
+
+from .utils import sanitize_slug
+
+
+class UtilsTestCase(TestCase):
+    """Utils tests."""
+
+    def test_sanitize_slug(self):
+        self.assertEqual(sanitize_slug("slug"), "slug")
+
+    def test_sanitize_slug_dangerous(self):
+        self.assertEqual(sanitize_slug("../\\slug"), "----slug")
+        self.assertEqual(sanitize_slug("slug/other"), "slug-other")
+        self.assertEqual(sanitize_slug("slug/"), "slug-")
diff --git a/wlc/utils.py b/wlc/utils.py
@@ -0,0 +1,17 @@
+# Copyright © Michal Čihař <michal@weblate.org>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+"""Utility helpers."""
+
+from __future__ import annotations
+
+import re
+
+# This matches Django's SlugField validation minus dash which is
+# excluded by Weblate's validate_slug
+NON_SLUG_RE = re.compile(r"[^a-zA-Z0-9_]")
+
+
+def sanitize_slug(slug: str) -> str:
+    """Sanitize slug for safe use as a filename component."""
+    return NON_SLUG_RE.sub("-", slug)
