From 978a19d0c2ce51d3c827bdd5c991c8a3913c2658 Mon Sep 17 00:00:00 2001 From: Stephen Crowe <6042774+crowecawcaw@users.noreply.github.com> Date: Wed, 11 Feb 2026 14:39:38 -0800 Subject: [PATCH] fix: reject path separators in embedded filenames Signed-off-by: Stephen Crowe <6042774+crowecawcaw@users.noreply.github.com> --- src/openjd/model/v2023_09/_model.py | 4 ++++ test/openjd/model/v2023_09/test_embedded.py | 9 ++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/openjd/model/v2023_09/_model.py b/src/openjd/model/v2023_09/_model.py index 6ad0a86a..f97ee414 100644 --- a/src/openjd/model/v2023_09/_model.py +++ b/src/openjd/model/v2023_09/_model.py @@ -509,6 +509,10 @@ def _validate_name(cls, v: str, info: ValidationInfo) -> str: def _validate_filename(cls, v: Optional[Filename], info: ValidationInfo) -> Optional[Filename]: if v is None: return v + if "/" in v or "\\" in v: + raise ValueError( + "filename must be a basename only and cannot contain path separators ('/' or '\\\\')" + ) context = cast(Optional[ModelParsingContext], info.context) max_len = 256 if context and "FEATURE_BUNDLE_1" in context.extensions else 64 if len(v) > max_len: diff --git a/test/openjd/model/v2023_09/test_embedded.py b/test/openjd/model/v2023_09/test_embedded.py index 24f2dda5..ad577005 100644 --- a/test/openjd/model/v2023_09/test_embedded.py +++ b/test/openjd/model/v2023_09/test_embedded.py @@ -63,7 +63,14 @@ def test_parse_success(self, data: dict[str, Any]) -> None: {"name": "foo", "type": "TEXT", "data": "some text", "runnable": "True"}, id="runnable must be bool", ), - # TODO - tests for filename allowed characters + pytest.param( + {"name": "foo", "type": "TEXT", "data": "some text", "filename": "dir/file.txt"}, + id="filename with forward slash", + ), + pytest.param( + {"name": "foo", "type": "TEXT", "data": "some text", "filename": "dir\\file.txt"}, + id="filename with backslash", + ), ), ) def test_parse_fails(self, data: dict[str, Any]) -> None: