fix(validators): reject certain paths from being used

nijel · nijel · commit 4837a4154390 · 2025-12-16T14:06:37.000+01:00
Restrict based on the translation-finder blacklist which covers files we
do not want to touch.
diff --git a/weblate/trans/backups.py b/weblate/trans/backups.py
@@ -550,7 +550,7 @@ def validate(self) -> None:
             self.load_memory(zipfile)
             self.load_components(zipfile)
             for name in zipfile.namelist():
-                validate_filename(name)
+                validate_filename(name, check_prohibited=False)
 
     def restore_unit(
         self,
diff --git a/weblate/utils/files.py b/weblate/utils/files.py
@@ -90,7 +90,7 @@ def should_skip(location):
     )
 
 
-def is_excluded(path):
+def is_excluded(path: str) -> bool:
     """Whether path should be excluded from zip extraction."""
     return any(exclude in f"/{path}/" for exclude in PATH_EXCLUDES) or ".." in path
 
diff --git a/weblate/utils/tests/test_validators.py b/weblate/utils/tests/test_validators.py
@@ -139,6 +139,16 @@ def test_simplification(self) -> None:
     def test_empty(self) -> None:
         validate_filename("")
 
+    def test_prohibited(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_filename(".git/config")
+        validate_filename(".git/config", check_prohibited=False)
+
+    def test_prohibited_subdir(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_filename("path/.git/config")
+        validate_filename("path/.git/config", check_prohibited=False)
+
 
 class RegexTest(SimpleTestCase):
     def test_empty(self) -> None:
diff --git a/weblate/utils/validators.py b/weblate/utils/validators.py
@@ -33,6 +33,7 @@
 from weblate.trans.util import cleanup_path
 from weblate.utils.const import WEBHOOKS_SECRET_PREFIX
 from weblate.utils.data import data_dir
+from weblate.utils.files import is_excluded
 
 USERNAME_MATCHER = re.compile(r"^[\w@+-][\w.@+-]*$")
 
@@ -238,7 +239,7 @@ def validate_plural_formula(value) -> None:
         ) from error
 
 
-def validate_filename(value) -> None:
+def validate_filename(value: str, *, check_prohibited: bool = True) -> None:
     if "../" in value or "..\\" in value:
         raise ValidationError(
             gettext("The filename can not contain reference to a parent directory.")
@@ -254,6 +255,8 @@ def validate_filename(value) -> None:
                 "Maybe you want to use: {}"
             ).format(cleaned)
         )
+    if check_prohibited and is_excluded(cleaned):
+        raise ValidationError(gettext("The filename contains a prohibited folder."))
 
 
 def validate_backup_path(value: str) -> None:

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ def should_skip(location):`
`90`	`90`	`)`
`91`	`91`
`92`	`92`
`93`		`-def is_excluded(path):`
	`93`	`+def is_excluded(path: str) -> bool:`
`94`	`94`	`"""Whether path should be excluded from zip extraction."""`
`95`	`95`	`return any(exclude in f"/{path}/" for exclude in PATH_EXCLUDES) or ".." in path`
`96`	`96`