From 349443c4cca3e366dc22e0a3a084359650a2f549 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicol=C3=B2=20Boschi?= <boschi1997@gmail.com>
Date: Thu, 23 May 2024 12:37:28 +0200
Subject: [PATCH] fix uncontrolled data used in path expression from
 /custom_component (#1926)

---
 src/backend/base/langflow/api/utils.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/backend/base/langflow/api/utils.py b/src/backend/base/langflow/api/utils.py
index e2f6e07e7..f7e0548fe 100644
--- a/src/backend/base/langflow/api/utils.py
+++ b/src/backend/base/langflow/api/utils.py
@@ -1,3 +1,4 @@
+import os
 import warnings
 from pathlib import Path
 from typing import TYPE_CHECKING, Optional
@@ -140,7 +141,10 @@ def get_file_path_value(file_path):
     # If the path is not in the cache dir, return empty string
     # This is to prevent access to files outside the cache dir
     # If the path is not a file, return empty string
-    if not path.exists() or not str(path).startswith(user_cache_dir("langflow", "langflow")):
+    if not str(path).startswith(user_cache_dir("langflow", "langflow")):
+        return ""
+
+    if not path.exists():
         return ""
     return file_path