patch: sanitize file extension in HuggingFaceTextToSpeechModelInference (#101)

Sanitize the file extension to prevent path traversal attack for users
that take untrusted inputs in the init.

Author: eyurtsev

libs/community/langchain_community/tools/audio/huggingface_text_to_speech_inference.py

@@ -65,6 +65,11 @@ def __init__(
                 f"'{_HUGGINGFACE_API_KEY_ENV_NAME}' must be or set or passed"
             )
 
+        # Sanitize file extension to prevent path traversal attacks
+        file_extension = os.path.basename(file_extension).lstrip(".")
+        if not file_extension or "/" in file_extension or "\\" in file_extension:
+            raise ValueError("Invalid file extension")
+
         if file_naming_func == "uuid":
             file_namer = lambda: str(uuid.uuid4())  # noqa: E731
         elif file_naming_func == "timestamp":