"""Utility functions shared across the OCR service with no ML-stack imports."""

import os

from fastapi import HTTPException


def _validate_zip_entry(name: str, extract_dir: str) -> None:
    """Reject ZIP Slip attacks: path traversal and absolute paths."""
    if os.path.isabs(name) or name.startswith(".."):
        raise HTTPException(status_code=400, detail=f"Unsafe ZIP entry: {name}")
    resolved = os.path.realpath(os.path.join(extract_dir, name))
    if not resolved.startswith(os.path.realpath(extract_dir)):
        raise HTTPException(status_code=400, detail=f"ZIP Slip detected: {name}")