From a4e2122382348800ddaac8e8b820e6b5b54bd1ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D9=8A?= Date: Mon, 25 May 2026 17:34:29 +0530 Subject: [PATCH] Potential fix for code scanning alert no. 121: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- backend/routers/video_studio/endpoints/serve.py | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/backend/routers/video_studio/endpoints/serve.py b/backend/routers/video_studio/endpoints/serve.py index 9665e6e0..63f50ff4 100644 --- a/backend/routers/video_studio/endpoints/serve.py +++ b/backend/routers/video_studio/endpoints/serve.py @@ -40,29 +40,25 @@ async def serve_video_studio_video( video_studio_videos_dir = base_dir / "video_studio_videos" video_path = video_studio_videos_dir / user_id / video_filename - # Security: Ensure path is within video_studio_videos directory + # Security: Resolve and ensure path is within video_studio_videos directory try: - resolved_path = video_path.resolve() resolved_base = video_studio_videos_dir.resolve() - if not str(resolved_path).startswith(str(resolved_base)): - raise HTTPException( - status_code=403, - detail="Invalid video path" - ) + resolved_path = video_path.resolve() + resolved_path.relative_to(resolved_base) except (OSError, ValueError) as e: logger.error(f"[VideoStudio] Path resolution error: {e}") raise HTTPException(status_code=403, detail="Invalid video path") # Check if file exists - if not video_path.exists() or not video_path.is_file(): + if not resolved_path.exists() or not resolved_path.is_file(): raise HTTPException( status_code=404, detail=f"Video not found: {video_filename}" ) - logger.info(f"[VideoStudio] Serving video: {video_path}") + logger.info(f"[VideoStudio] Serving video: {resolved_path}") return FileResponse( - path=str(video_path), + path=str(resolved_path), media_type="video/mp4", filename=video_filename, )