using basename in submission filename to prevent potential LFI

ontoportal-lirmm · Oct 8, 2024 · 73a0403 · 73a0403
1 parent f7ee9f1
commit 73a0403
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/ontologies_linked_data/models/ontology_submission.rb b/lib/ontologies_linked_data/models/ontology_submission.rb
@@ -280,7 +280,7 @@ def self.submission_id_generator(ss)
       # Copy file from /tmp/uncompressed-ont-rest-file to /srv/ncbo/repository/MY_ONT/1/
       def self.copy_file_repository(acronym, submissionId, src, filename = nil)
         path_to_repo = File.join([LinkedData.settings.repository_folder, acronym.to_s, submissionId.to_s])
-        name = filename || File.basename(File.new(src).path)
+        name = File.basename(filename) || File.basename(File.new(src).path)
         # THIS LOGGER IS JUST FOR DEBUG - remove after NCBO-795 is closed
         logger = Logger.new(Dir.pwd + "/create_permissions.log")
         if not Dir.exist? path_to_repo