OpenChatBI has a Path Traversal Vulnerability in save_report Tool
The save_report tool in openchatbi/tool/save_report.py suffers from a critical path traversal vulnerability due to insufficient input sanitization of the file_format parameter. The function only removes leading dots of file_format using file_format.lstrip(".") but allows path traversal sequences like /../../ to pass through unchanged. When the filename is constructed via string concatenation in f"{timestamp}_{clean_title}.{file_format}" malicious path sequences are preserved, enabling attackers to write files outside the designated report directory. An attacker can …