feat: Enhance status endpoint with path validation

[odaysec]

Added path normalization and validation to prevent directory traversal attacks in the status endpoint to fix uncontrolled path usage you must ensure that any user-controlled component of a file path is validated and/or that the final path is constrained to a safe directory after normalization. Options here include: (1) constraining uid to match a strict pattern (for example, UUID or a limited character set), or (2) computing the full path under SAVE_DIR, normalizing it with os.path.normpath or os.path.realpath, and then enforcing that it still resides inside SAVE_DIR before opening it.

The least invasive and most robust change here is to keep using uid as-is for lookup, but protect the final path: build save_file_path under SAVE_DIR, normalize it, and check that it is still within SAVE_DIR. If the check fails, treat the status as an error or as “not found/processing” without reading any file. Concretely, in @app.get("/status/{uid}") we should: (1) compute requested_path = os.path.join(SAVE_DIR, f'{uid}.glb'), (2) normalize both SAVE_DIR and requested_path (e.g. with os.path.abspath + os.path.normpath), (3) verify that normalized_path starts with the normalized SAVE_DIR prefix (using a proper boundary check), and (4) only then check existence and read the file. If the path is invalid, immediately return an error JSON response. This change is local to the status handler and does not alter the external API or how legitimate UIDs behave.

We already import os at the top of the file, so no new imports are required. All changes are within api_server.py, in the status function body around lines 287–297.

References

werkzeug.utils.secure_filename

[tencent-adm]

Thank you for your submission, we really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}