Update python sdk to strip any directory traversal in filename (OpenAPITools#22965)

wing328 · padznich · padznich · commit c33595f87084 · 2026-02-16T11:34:36.000+01:00
* update python sdk

Strip any directory traversal

* rebased

* update samples, docs

* fallback case

---------

Co-authored-by: Pavel Slabko &lt;slabkopg@gmail.com&gt;
# Conflicts:
#	modules/openapi-generator/src/main/resources/python/api_client.mustache
#	samples/client/echo_api/python-disallowAdditionalPropertiesIfNotPresent/openapi_client/api_client.py
#	samples/client/echo_api/python/openapi_client/api_client.py
#	samples/openapi3/client/petstore/python-aiohttp/petstore_api/api_client.py
#	samples/openapi3/client/petstore/python-httpx/petstore_api/api_client.py
#	samples/openapi3/client/petstore/python-lazyImports/petstore_api/api_client.py
#	samples/openapi3/client/petstore/python/petstore_api/api_client.py
diff --git a/modules/openapi-generator/src/main/resources/python/api_client.mustache b/modules/openapi-generator/src/main/resources/python/api_client.mustache
@@ -725,6 +725,8 @@ class ApiClient:
             )
             assert m is not None, "Unexpected 'content-disposition' header value"
             filename = os.path.basename(m.group(1))  # Strip any directory traversal
+            if filename in ("", ".", ".."):  # fall back to tmp filename
+                filename = os.path.basename(path)
             path = os.path.join(os.path.dirname(path), filename)
 
         with open(path, "wb") as f:

Original file line number	Diff line number	Diff line change
`@@ -725,6 +725,8 @@ class ApiClient:`
`725`	`725`	`)`
`726`	`726`	`assert m is not None, "Unexpected 'content-disposition' header value"`
`727`	`727`	`filename = os.path.basename(m.group(1)) # Strip any directory traversal`
	`728`	`+ if filename in ("", ".", ".."): # fall back to tmp filename`
	`729`	`+ filename = os.path.basename(path)`
`728`	`730`	`path = os.path.join(os.path.dirname(path), filename)`
`729`	`731`
`730`	`732`	`with open(path, "wb") as f:`