Fix/SK-904 | Uncontrolled data used in path expression (#635)

fedn/network/api/interface.py

@@ -1,11 +1,11 @@
 import base64
 import copy
-import os
 import threading
 import uuid
 from io import BytesIO
 
 from flask import jsonify, send_from_directory
+from werkzeug.security import safe_join
 from werkzeug.utils import secure_filename
 
 from fedn.common.config import get_controller_config, get_network_config
@@ -232,7 +232,7 @@ def set_compute_package(self, file, helper_type: str, name: str = None, descript
         file_name = file.filename
         storage_file_name = secure_filename(f"{str(uuid.uuid4())}.{extension}")
 
-        file_path = os.path.join("/app/client/package/", storage_file_name)
+        file_path = safe_join("/app/client/package/", storage_file_name)
         file.save(file_path)
 
         self.control.set_compute_package(storage_file_name, file_path)
@@ -377,7 +377,7 @@ def download_compute_package(self, name):
             try:
                 data = self.control.get_compute_package(name)
                 # TODO: make configurable, perhaps in config.py or package.py
-                file_path = os.path.join("/app/client/package/", name)
+                file_path = safe_join("/app/client/package/", name)
                 with open(file_path, "wb") as fh:
                     fh.write(data)
                 # TODO: make configurable, perhaps in config.py or package.py
@@ -399,7 +399,7 @@ def _create_checksum(self, name=None):
             name, message = self._get_compute_package_name()
             if name is None:
                 return False, message, ""
-        file_path = os.path.join("/app/client/package/", name)  # TODO: make configurable, perhaps in config.py or package.py
+        file_path = safe_join("/app/client/package/", name)  # TODO: make configurable, perhaps in config.py or package.py
         try:
             sum = str(sha(file_path))
         except FileNotFoundError: