Potential fix for code scanning alert no. 36: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: makseq

label_studio_ml/examples/deepgram/model.py

@@ -3,6 +3,7 @@
 import pathlib
 from types import SimpleNamespace
 from typing import List, Dict, Optional
+from werkzeug.utils import secure_filename
 from label_studio_ml.model import LabelStudioMLBase
 from label_studio_ml.response import ModelResponse
 from label_studio_sdk import LabelStudio
@@ -58,9 +59,13 @@ def predict(self, tasks: List[Dict], context: Optional[Dict] = None, **kwargs) -
         )
 
         # Generate unique filename for the audio file - task_id and user_id are unique identifiers for the task and user
-        audio_filename = f"{task_id}_{context['user_id']}.mp3"
-        local_audio_path = f"/tmp/{audio_filename}"
-        
+        safe_task_id = secure_filename(str(task_id))
+        safe_user_id = secure_filename(str(context['user_id']))
+        audio_filename = f"{safe_task_id}_{safe_user_id}.mp3"
+        local_audio_path = os.path.normpath(os.path.join("/tmp", audio_filename))
+        # Ensure the final path is within /tmp
+        if not local_audio_path.startswith(os.path.abspath("/tmp") + os.sep):
+            raise ValueError("Invalid path: attempted directory traversal in filename")
         # Write audio chunks to local file
         with open(local_audio_path, "wb") as audio_file:
             for chunk in response: