From a3f73a5256e0a552d387491ecab9ebbb90ebada6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D9=8A?= Date: Mon, 25 May 2026 17:37:07 +0530 Subject: [PATCH] Potential fix for code scanning alert no. 107: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- backend/api/images.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/backend/api/images.py b/backend/api/images.py index 7ca2a1ba..a5bd1946 100644 --- a/backend/api/images.py +++ b/backend/api/images.py @@ -1048,12 +1048,21 @@ async def serve_image_studio_image( raise HTTPException(status_code=403, detail="Access denied: image not found in your library") # Determine if it's an edited image or regular image + # Validate user-controlled path input before filesystem path construction + image_filename_path = Path(image_filename) + if image_filename_path.is_absolute() or any(part in ("", ".", "..") for part in image_filename_path.parts): + raise HTTPException(status_code=403, detail="Access denied: Invalid image path") + base_dir = Path(__file__).parent.parent image_studio_dir = (base_dir / "image_studio_images").resolve() if image_filename.startswith("edited/"): # Remove "edited/" prefix and serve from edited directory actual_filename = image_filename.replace("edited/", "", 1) + actual_filename_path = Path(actual_filename) + if actual_filename_path.is_absolute() or any(part in ("", ".", "..") for part in actual_filename_path.parts): + raise HTTPException(status_code=403, detail="Access denied: Invalid image path") + image_path = (image_studio_dir / "edited" / actual_filename).resolve() base_subdir = (image_studio_dir / "edited").resolve() else: