fix(core): handle symlinks in deprecated prompt save path (#36585)

Resolve symlinks before validating file extensions in the deprecated `save()` method on prompt classes. Credit to Jeff Ponte (@JDP-Security) for reporting the symlink resolution issue.
2026-06-09 10:17:00 +00:00 · 2026-04-07 10:45:42 -04:00
parent ce21bf469d
commit 7629c74726
2 changed files with 21 additions and 4 deletions
--- a/libs/core/langchain_core/prompts/base.py
+++ b/libs/core/langchain_core/prompts/base.py
@@ -389,11 +389,12 @@ class BasePromptTemplate(
        directory_path = save_path.parent
        directory_path.mkdir(parents=True, exist_ok=True)

-        if save_path.suffix == ".json":
-            with save_path.open("w", encoding="utf-8") as f:
+        resolved_path = save_path.resolve()
+        if resolved_path.suffix == ".json":
+            with resolved_path.open("w", encoding="utf-8") as f:
                json.dump(prompt_dict, f, indent=4)
-        elif save_path.suffix.endswith((".yaml", ".yml")):
-            with save_path.open("w", encoding="utf-8") as f:
+        elif resolved_path.suffix.endswith((".yaml", ".yml")):
+            with resolved_path.open("w", encoding="utf-8") as f:
                yaml.dump(prompt_dict, f, default_flow_style=False)
        else:
            msg = f"{save_path} must be json or yaml"