CWE-22: scripts/file_helper.py uses SQLite table names from sqlite_master directly in open() paths (lines 40, 57). A malicious .db file with table named ../../tmp/evil writes files outside the output directory. Fix: sanitize table names with os.path.basename().
CWE-22: scripts/file_helper.py uses SQLite table names from sqlite_master directly in open() paths (lines 40, 57). A malicious .db file with table named ../../tmp/evil writes files outside the output directory. Fix: sanitize table names with os.path.basename().