Arbitrary File Download Vulnerability

## Description
In versions 0.8.0~0.9.4, unthenticated attackers can exploit the `path` parameter in the `download_work_dir_file` API to download arbitrary files from the server.
## Environment
- **Operating System** :windows docker
-  **Affected Version** :  0.8.0~0.9.4

## PoC
1. visit `http://<host>/download_work_dir_file?path=/etc/passwd`

Observe that the brower initiates the download of the specified file.


## Screenshots

<img width="419" height="166" alt="Image" src="https://github.com/user-attachments/assets/e7dc752b-6543-44a0-9d55-3e8e271e58d9" />

## Vulnerable Code Location:  
`/python/api/download_work_dir_file.py`,
specifically at: 
```python
file_path = request.args.get("path", "")

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Arbitrary File Download Vulnerability #687

Description

Environment

PoC

Screenshots

Vulnerable Code Location:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Arbitrary File Download Vulnerability #687

Description

Description

Environment

PoC

Screenshots

Vulnerable Code Location:

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions