Skip to content

fix: webchat file attachment renamed with UUID instead of original name #8486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
march-7th-mini wants to merge 5 commits into
base: master
Choose a base branch
from
Open

fix: webchat file attachment renamed with UUID instead of original name #8486

Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1104ee7
fix: webchat file attachment renamed with UUID instead of original name
march-7th-mini Jun 1, 2026
607c33c
Merge branch 'AstrBotDevs:master' into fix/webchat-file-rename
march-7th-mini Jun 1, 2026
e701ccc
fix: sanitize filename and optimize dedup loop
march-7th-mini Jun 1, 2026
808f0b0
Limit file name deduplication attempts to 10,000
march-7th-mini Jun 2, 2026
fb2e8d0
fix: decrease dedup max attempts to 1000 and fix ruff formatting
march-7th-mini Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 10 additions & 5 deletions astrbot/core/platform/sources/webchat/webchat_event.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,14 +109,19 @@ async def _send(
},
)
elif isinstance(comp, File):
# save file to local
# save file to local with original name
file_path = await comp.get_file()
original_name = comp.name or os.path.basename(file_path)
Comment thread
sourcery-ai[bot] marked this conversation as resolved.
ext = os.path.splitext(original_name)[1] or ""
filename = f"{uuid.uuid4()!s}{ext}"
dest_path = os.path.join(attachments_dir, filename)
safe_name = os.path.basename(original_name)
dest_path = os.path.join(attachments_dir, safe_name)
name_part, ext_part = os.path.splitext(safe_name)
# dedup: if file with same name exists, append a counter
counter = 1
while os.path.exists(dest_path):
Copy link
Copy Markdown
Member

@Soulter Soulter Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这里可以限制循环上限(比如 100_000),防止一些奇怪的问题

Copy link
Copy Markdown
Author

@march-7th-mini march-7th-mini Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

谢谢大佬!空了麻烦您再帮忙看看。

起初我只是觉得AI每次回复的文件都被重命名,就很不方便,
于是我问AstrBot,帮忙修改实现的这个效果,

因为我完全没有任何编程经验,我判断不了这个修改是否符合项目的规范,可能会带来哪些风险。

dest_path = os.path.join(attachments_dir, f"{name_part}_{counter}{ext_part}")
counter += 1
Comment on lines 114 to +125
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

Security & Efficiency Review

  1. Path Traversal Vulnerability (High Severity): Using comp.name directly in os.path.join allows potential path traversal attacks if the filename contains directory traversal sequences (e.g., ../ or ..\). This could allow an attacker to write files outside the intended attachments_dir directory. Wrapping it in os.path.basename sanitizes the filename.
  2. Redundant Computation: Calling os.path.splitext(original_name) inside the while loop is redundant because original_name does not change. Moving it outside the loop improves performance.
Suggested change
original_name = comp.name or os.path.basename(file_path)
ext = os.path.splitext(original_name)[1] or ""
filename = f"{uuid.uuid4()!s}{ext}"
dest_path = os.path.join(attachments_dir, filename)
dest_path = os.path.join(attachments_dir, original_name)
# dedup: if file with same name exists, append a counter
counter = 1
while os.path.exists(dest_path):
name_part, ext_part = os.path.splitext(original_name)
dest_path = os.path.join(attachments_dir, f"{name_part}_{counter}{ext_part}")
counter += 1
original_name = os.path.basename(comp.name or file_path)
name_part, ext_part = os.path.splitext(original_name)
dest_path = os.path.join(attachments_dir, original_name)
# dedup: if file with same name exists, append a counter
counter = 1
while os.path.exists(dest_path):
dest_path = os.path.join(attachments_dir, f"{name_part}_{counter}{ext_part}")
counter += 1

shutil.copy2(file_path, dest_path)
data = f"[FILE]{filename}"
data = f"[FILE]{os.path.basename(dest_path)}"
await web_chat_back_queue.put(
{
"type": "file",
Expand Down
Loading