Path Traversal on file_name and calib_id

[ChaitanyaChute]

Bug Description

In app/routes/session.py:64-80 and app/routes/session.py:165, the parameters file_name and calib_id are taken directly from user input and used to construct file system paths without any sanitization or validation.

Example pattern:

file_path = base_path / file_name
calib_path = calib_dir / calib_id

Because these values are not validated, an attacker can supply path traversal sequences such as ../../ to escape the intended directory and write files anywhere on the server.

Example malicious input:

file_name: "../../etc/cron.d/malicious"

This would cause the application to write outside the intended storage directory, potentially overwriting critical system or application files.

Steps to Reproduce

1. Send a request to the affected endpoint that accepts file_name or calib_id.
2. Provide a malicious path traversal payload:

file_name = "../../tmp/pwned.txt"

3. The server constructs the file path without sanitization.
4. The file gets written outside the intended directory.

Expected Behavior

User-controlled inputs such as file_name and calib_id should be strictly validated and sanitized so they cannot escape the intended directory.

Proposed Fix

1. Sanitize the filename to remove path traversal sequences.
2. Use safe filename validation (allow only alphanumeric, _, -, ., etc.).
3. Resolve and validate paths to ensure they remain inside the intended base directory.