From a6b7c17e56de6122955bcc35cd990083d3f94a51 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 26 Mar 2026 09:13:04 +0000
Subject: [PATCH] fix: resolve CodeQL alert #31 - Uncontrolled data used in
 path expression

---
 vulnerable_path_traversal.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/vulnerable_path_traversal.py b/vulnerable_path_traversal.py
index 8f83550..3e015c4 100644
--- a/vulnerable_path_traversal.py
+++ b/vulnerable_path_traversal.py
@@ -46,7 +46,10 @@ def get_user_file(user_id, filename):
 @app.route('/image')
 def serve_image():
     img_name = request.args.get('name')
-    img_path = "./static/images/" + img_name
+    base_dir = os.path.realpath("./static/images/")
+    img_path = os.path.realpath(os.path.join(base_dir, img_name))
+    if not img_path.startswith(base_dir):
+        return 'Access denied', 403
     
     return send_file(img_path)