Comment 3 for bug 1933832

I also went looking for instances of attach_file() which may be vulnerable to this type of attack (ie using a computed filename that may be able to be influenced by untrusted content from the report) by searching for calls to this across the entire debian archive which use a variable name for the file-name argument:

$ codesearch-cli "attach_file(_if_exists)?\(report($|,$|, [a-z])"
path: grub2_2.04-19/debian/apport/source_grub2.py
                       and not check_shell_syntax(fullpath):
                        invalid_grub_script.append(fullpath)
     91 attach_file(report, fullpath)
path: gnome-shell_3.38.4-1/debian/source_gnome-shell.py
                monitors = os.path.expanduser('~/.config/monitors.xml')
     28 attach_file_if_exists(report, monitors, 'monitors.xml')
path: dkms_2.8.4-4/dkms_apport.py
        report['PackageVersion'] = version
        report['Title'] = "%s %s: %s kernel module failed to build" % (package, version, options.module)
     84 attach_file_if_exists(report, make_log, 'DKMSBuildLog')
path: dkms_2.8.4-4/dkms_apport.py
        if report['SourcePackage'] == 'fglrx-installer':
            fglrx_make_log = os.path.join('/var','lib','dkms',options.module,options.version,'build','make.sh.log')
     80 attach_file_if_exists(report, fglrx_make_log, 'FglrxBuildLog')
path: shim-signed_1.37/debian/source_shim-signed.py
            attach_file(report, '/proc/sys/kernel/moksbstate_disabled')
            attach_file(report, sb_var)
     55 attach_file(report, mok_var)
path: shim-signed_1.37/debian/source_shim-signed.py
            attach_file(report, '/proc/sys/kernel/moksbstate_disabled')
     54 attach_file(report, sb_var)
path: plank_0.11.89-3/data/apport/source_plank.py
        def add_info(report, ui=None):
     27 attach_file_if_exists(report, path.expanduser('~/.config/plank/dock1/settings'), 'DockSettings')
path: gnome-shell-xrdesktop_3.36.1-2/debian/source_gnome-shell.py
                monitors = os.path.expanduser('~/.config/monitors.xml')
     28 attach_file_if_exists(report, monitors, 'monitors.xml')
path: conky_1.11.6-2/debian/conky.py
                conkyrc_path = path.expanduser('~/.conkyrc')
                if path.exists(conkyrc_path):
     17 attach_file(report, conkyrc_path)
path: conky_1.11.6-2/debian/conky.py
                                           open(conkyrc_path).read(),
                                           re.MULTILINE):
     21 attach_file_if_exists(report, file)
path: vsftpd_3.0.3-13/debian/vsftpd.apport
                attach_conffiles(report,'vsftpd')
     30 attach_file_if_exists(report, os.path.expanduser('/var/log/vsftpd.log'), 'vsftpd.log')
path: rednotebook_2.21+ds-1/debian/source_rednotebook.py
            for (key, name) in LOGS:
                log = path.join(rednotebook_dir, name)
     22 attach_file_if_exists(report, log, key)
path: shotwell_0.30.11-1/apport/shotwell.py
        def add_info(report):
            log_file = os.path.expanduser('~/.cache/shotwell/shotwell.log')
      6 apport.hookutils.attach_file_if_exists(report, log_file, 'shotwell.log')

Of these, the conky script also appears to allow untrusted files to be attached: https://sources.debian.org/src/conky/1.11.6-2/debian/conky.py/#L21 but this is a separate issue so I will file a new bug report for that.