Update python sdk to strip any directory traversal in filename

[wing328]

based on #22953

with updated samples, docs.

cc @cbornet (2017/09) @tomplus (2018/10) @krjakbrjak (2023/02) @fa0311 (2023/10) @multani (2023/10)

PR checklist

• Read the contribution guidelines.
• Pull Request title clearly describes the work in the pull request and Pull Request description provides details about how to validate the work. Missing information here may result in delayed response from the community.
• Run the following to build the project and update samples:

  ./mvnw clean package || exit
  ./bin/generate-samples.sh ./bin/configs/*.yaml || exit
  ./bin/utils/export_docs_generators.sh || exit
  

  (For Windows users, please run the script in WSL)
  Commit all changed files.
  This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master.
  These must match the expectations made by your contribution.
  You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*.
  IMPORTANT: Do NOT purge/delete any folders/files (e.g. tests) when regenerating the samples as manually written tests may be removed.
• File the PR against the correct branch: master (upcoming 7.x.0 minor release - breaking changes with fallbacks), 8.0.x (breaking changes without fallbacks)
• If your PR solves a reported issue, reference it using GitHub's linking syntax (e.g., having "fixes #123" present in the PR description)
• If your PR is targeting a particular programming language, @mention the technical committee members, so they are more likely to review the pull request.

---

Summary by cubic

Prevents directory traversal in Python SDK file downloads by sanitizing Content-Disposition filenames with os.path.basename. Updates Python samples to reflect the fix.

• Bug Fixes
  • Strip path components from server-provided filenames in ApiClient.__deserialize_file to avoid writing outside the target folder.
  • Regenerated Python sample clients to include the fix.

^{Written for commit f675161. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 7 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="samples/openapi3/client/petstore/python-httpx/petstore_api/api_client.py">

<violation number="1" location="samples/openapi3/client/petstore/python-httpx/petstore_api/api_client.py:720">
P2: os.path.basename still returns ".." for a filename of "..", so a crafted Content-Disposition can still escape the temp folder. Guard against empty/"."/".." names and fall back to the generated temp filename.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: os.path.basename still returns ".." for a filename of "..", so a crafted Content-Disposition can still escape the temp folder. Guard against empty/"."/".." names and fall back to the generated temp filename.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At samples/openapi3/client/petstore/python-httpx/petstore_api/api_client.py, line 720:

<comment>os.path.basename still returns ".." for a filename of "..", so a crafted Content-Disposition can still escape the temp folder. Guard against empty/"."/".." names and fall back to the generated temp filename.</comment>

<file context>
@@ -717,7 +717,7 @@ def __deserialize_file(self, response):
             )
             assert m is not None, "Unexpected 'content-disposition' header value"
-            filename = m.group(1)
+            filename = os.path.basename(m.group(1))  # Strip any directory traversal
             path = os.path.join(os.path.dirname(path), filename)
 
</file context>

Suggested change

	filename = os.path.basename(m.group(1)) # Strip any directory traversal
	filename = os.path.basename(m.group(1))
	if filename in ("", ".", ".."): # fall back to tmp filename
	filename = os.path.basename(path)