fix(validators): reject certain paths from being used

Restrict based on the translation-finder blacklist which covers files we
do not want to touch.

Author: nijel

weblate/utils/files.py

@@ -90,7 +90,7 @@ def should_skip(location):
     )
 
 
-def is_excluded(path):
+def is_excluded(path: str) -> bool:
     """Whether path should be excluded from zip extraction."""
     return any(exclude in f"/{path}/" for exclude in PATH_EXCLUDES) or ".." in path
 

weblate/utils/tests/test_validators.py

@@ -139,6 +139,14 @@ def test_simplification(self) -> None:
     def test_empty(self) -> None:
         validate_filename("")
 
+    def test_prohibited(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_filename(".git/config")
+
+    def test_prohibited_subdir(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_filename("path/.git/config")
+
 
 class RegexTest(SimpleTestCase):
     def test_empty(self) -> None:

weblate/utils/validators.py

@@ -33,6 +33,7 @@
 from weblate.trans.util import cleanup_path
 from weblate.utils.const import WEBHOOKS_SECRET_PREFIX
 from weblate.utils.data import data_dir
+from weblate.utils.files import is_excluded
 
 USERNAME_MATCHER = re.compile(r"^[\w@+-][\w.@+-]*$")
 
@@ -238,7 +239,7 @@ def validate_plural_formula(value) -> None:
         ) from error
 
 
-def validate_filename(value) -> None:
+def validate_filename(value: str, *, check_prohibited: bool = True) -> None:
     if "../" in value or "..\\" in value:
         raise ValidationError(
             gettext("The filename can not contain reference to a parent directory.")
@@ -254,6 +255,8 @@ def validate_filename(value) -> None:
                 "Maybe you want to use: {}"
             ).format(cleaned)
         )
+    if check_prohibited and is_excluded(cleaned):
+        raise ValidationError(gettext("The filename contains a prohibited folder."))
 
 
 def validate_backup_path(value: str) -> None: