fix(app): prevent path traversal via user_id header in python file upload (#3104)

[qfmy83]

What

The POST /api/v1/python/file/upload handler builds the destination directory from the untrusted user_id request header:

upload_dir = os.path.join(base_dir, "python_uploads", user_id)
os.makedirs(upload_dir, exist_ok=True)

user_id is used directly as a path component with no validation, and the existing _resolve_upload_path containment check only validates the filename against upload_dir — which has already been poisoned by user_id. A header such as user_id: ../../../../tmp/x therefore escapes the uploads directory, letting a client write attacker-controlled content to an arbitrary location on the server (which can escalate to RCE via a startup hook, usercustomize.py, a cron dir, etc.). The default auth dependency is a mock, so the endpoint is unauthenticated. Fixes #3104.

Fix

Add _resolve_upload_dir(base_dir, user_id) that treats user_id as a single, opaque path segment: it rejects absolute paths, multi-segment values and ./.., then canonicalizes the directory and verifies it stays inside the python_uploads root (mirroring the existing _resolve_upload_path guard). An invalid user_id now returns a clean failure instead of writing outside the root. Legitimate ids (uuid / email-like) are unaffected.

Testing

Added test_python_upload_path_traversal.py:

• the ../../tmp/... exploit and other traversal/absolute/multi-segment ids are rejected
• legit user_ids resolve inside the uploads root and keep their name

pytest packages/dbgpt-app/tests/openapi/test_python_upload_path_traversal.py -v

Note: this addresses the traversal. The mock auth dependency is a separate hardening concern and is out of scope for this PR.

[Aries-ckt]

LGTM