[Security] fix download security problem (#61162)

wanghuancoder · web-flow · commit 5c50d1a8b97b · 2024-01-31T14:25:50.000+08:00
* fix download security problem
diff --git a/python/paddle/dataset/common.py b/python/paddle/dataset/common.py
@@ -18,6 +18,7 @@
 import importlib
 import os
 import pickle
+import re
 import shutil
 import sys
 import tempfile
@@ -71,6 +72,11 @@ def md5file(fname):
 
 
 def download(url, module_name, md5sum, save_name=None):
+    module_name = re.match("^[a-zA-Z0-9_/\\-]+$", module_name).group()
+    if isinstance(save_name, str):
+        save_name = re.match(
+            "^(?:(?!\\.\\.)[a-zA-Z0-9_/\\.-])+$", save_name
+        ).group()
     dirname = os.path.join(DATA_HOME, module_name)
     if not os.path.exists(dirname):
         os.makedirs(dirname)
