Skip to content

Update python sdk to strip any directory traversal in filename#22965

Merged
wing328 merged 5 commits intomasterfrom
padznich-python-sdk-dir-traversal-fix
Feb 13, 2026
Merged

Update python sdk to strip any directory traversal in filename#22965
wing328 merged 5 commits intomasterfrom
padznich-python-sdk-dir-traversal-fix

Conversation

@wing328
Copy link
Member

@wing328 wing328 commented Feb 13, 2026
edited by cubic-dev-ai bot
Loading

based on #22953

with updated samples, docs.

cc @cbornet (2017/09) @tomplus (2018/10) @krjakbrjak (2023/02) @fa0311 (2023/10) @multani (2023/10)

PR checklist

  • Read the contribution guidelines.
  • Pull Request title clearly describes the work in the pull request and Pull Request description provides details about how to validate the work. Missing information here may result in delayed response from the community.
  • Run the following to build the project and update samples: 
    ./mvnw clean package || exit
./bin/generate-samples.sh ./bin/configs/*.yaml || exit
./bin/utils/export_docs_generators.sh || exit
    (For Windows users, please run the script in WSL)
    Commit all changed files.
    This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master.
    These must match the expectations made by your contribution.
    You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*.
    IMPORTANT: Do NOT purge/delete any folders/files (e.g. tests) when regenerating the samples as manually written tests may be removed.
  • File the PR against the correct branch: master (upcoming 7.x.0 minor release - breaking changes with fallbacks), 8.0.x (breaking changes without fallbacks)
  • If your PR solves a reported issue, reference it using GitHub's linking syntax (e.g., having "fixes #123" present in the PR description)
  • If your PR is targeting a particular programming language, @mention the technical committee members, so they are more likely to review the pull request.

Summary by cubic

Prevents directory traversal in Python SDK file downloads by sanitizing Content-Disposition filenames and falling back to a safe temp name when the header is empty or uses "."/"..". Updates Python samples to reflect the fix.

  • Bug Fixes
    • Sanitize Content-Disposition filenames in ApiClient.__deserialize_file using os.path.basename and fall back to the temp filename if the value is empty, "." or ".." to avoid writing outside the target folder.
    • Regenerated Python sample clients to include the fix.

Written for commit 8d2e1f4. Summary will update on new commits.

@wing328 wing328 changed the title Padznich python sdk dir traversal fix update python sdk to strip any directory traversal in filename Feb 13, 2026
@wing328 wing328 changed the title update python sdk to strip any directory traversal in filename Update python sdk to strip any directory traversal in filename Feb 13, 2026
@wing328 wing328 added this to the 7.20.0 milestone Feb 13, 2026
@wing328 wing328 mentioned this pull request Feb 13, 2026
Closed
3 tasks
@wing328 wing328 marked this pull request as ready for review February 13, 2026 08:09
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 7 files

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="samples/openapi3/client/petstore/python-httpx/petstore_api/api_client.py">

<violation number="1" location="samples/openapi3/client/petstore/python-httpx/petstore_api/api_client.py:720">
P2: os.path.basename still returns ".." for a filename of "..", so a crafted Content-Disposition can still escape the temp folder. Guard against empty/"."/".." names and fall back to the generated temp filename.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@wing328 wing328 merged commit 73dcdd6 into master Feb 13, 2026
46 of 47 checks passed
@wing328 wing328 deleted the padznich-python-sdk-dir-traversal-fix branch February 13, 2026 16:58
padznich added a commit to padznich/openapi-generator that referenced this pull request Feb 16, 2026
@wing328 @padznich
Update python sdk to strip any directory traversal in filename (OpenA…
c33595f 
…PITools#22965)

* update python sdk

Strip any directory traversal

* rebased

* update samples, docs

* fallback case

---------

Co-authored-by: Pavel Slabko <slabkopg@gmail.com>
# Conflicts:
#	modules/openapi-generator/src/main/resources/python/api_client.mustache
#	samples/client/echo_api/python-disallowAdditionalPropertiesIfNotPresent/openapi_client/api_client.py
#	samples/client/echo_api/python/openapi_client/api_client.py
#	samples/openapi3/client/petstore/python-aiohttp/petstore_api/api_client.py
#	samples/openapi3/client/petstore/python-httpx/petstore_api/api_client.py
#	samples/openapi3/client/petstore/python-lazyImports/petstore_api/api_client.py
#	samples/openapi3/client/petstore/python/petstore_api/api_client.py
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

Client: Python Enhancement: General

Projects

None yet

Milestone

7.20.0

Development

Successfully merging this pull request may close these issues.

2 participants

@wing328 @padznich