From 935aa5da7b1487881fe919a6589285fafd9143b3 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 26 Mar 2026 09:12:57 +0000
Subject: [PATCH] fix: resolve CodeQL alert #29 - Uncontrolled data used in
 path expression

---
 vulnerable_path_traversal.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/vulnerable_path_traversal.py b/vulnerable_path_traversal.py
index 8f83550..c94784c 100644
--- a/vulnerable_path_traversal.py
+++ b/vulnerable_path_traversal.py
@@ -14,7 +14,11 @@ def download_file():
 def read_file():
     file_name = request.args.get('filename', 'default.txt')
     
-    with open(file_name, 'r') as f:
+    base_dir = os.path.realpath('/var/www/files/')
+    safe_path = os.path.realpath(os.path.join(base_dir, file_name))
+    if not safe_path.startswith(base_dir):
+        return 'Access denied', 403
+    with open(safe_path, 'r') as f:
         content = f.read()
     
     return content