From 794792e0f8bdaead9e1c0ffeac9cbef7cc566db6 Mon Sep 17 00:00:00 2001
From: Hirad Rasoolinejad <hirad.rad@gmail.com>
Date: Mon, 30 Oct 2023 00:11:46 +0330
Subject: [PATCH] Update auto_translator.py to fix the Path Traversal
 Vulnerability

---
 .github/auto_translator.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/auto_translator.py b/.github/auto_translator.py
index 68c8125b..8dc774f3 100644
--- a/.github/auto_translator.py
+++ b/.github/auto_translator.py
@@ -6,9 +6,13 @@ import os
 
 
 def get_path(lang):
-    # if lang == 'en':
-    #     return f'../assets/translations/strings.i18n.json'
-    return f'../assets/translations/strings_{lang}.i18n.json'
+    base_dir = os.path.abspath('../assets/translations')
+    lang_file = f'strings_{lang}.i18n.json'
+    path = os.path.join(base_dir, lang_file)
+    if path.startswith(base_dir):
+        return path
+    else:
+        raise ValueError('Invalid language file path')
 
 
 def read_translate(lang):
@@ -43,5 +47,5 @@ if __name__ == "__main__":
     translator = GoogleTranslator(source=src, target=dst if dst != 'zh' else "zh-CN")
     recursive_translate(src_pofile, dst_pofile, translator)
 
-    with open(get_path(dst), 'w') as df:
+    with open(os.path.abspath(get_path(dst)), 'w') as df:
         json.dump(dst_pofile, df, ensure_ascii=False, indent=4)