Potential fix for code scanning alert no. 107: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

backend/api/images.py

@@ -1048,12 +1048,21 @@ async def serve_image_studio_image(
             raise HTTPException(status_code=403, detail="Access denied: image not found in your library")
         
         # Determine if it's an edited image or regular image
+        # Validate user-controlled path input before filesystem path construction
+        image_filename_path = Path(image_filename)
+        if image_filename_path.is_absolute() or any(part in ("", ".", "..") for part in image_filename_path.parts):
+            raise HTTPException(status_code=403, detail="Access denied: Invalid image path")
+
         base_dir = Path(__file__).parent.parent
         image_studio_dir = (base_dir / "image_studio_images").resolve()
         
         if image_filename.startswith("edited/"):
             # Remove "edited/" prefix and serve from edited directory
             actual_filename = image_filename.replace("edited/", "", 1)
+            actual_filename_path = Path(actual_filename)
+            if actual_filename_path.is_absolute() or any(part in ("", ".", "..") for part in actual_filename_path.parts):
+                raise HTTPException(status_code=403, detail="Access denied: Invalid image path")
+
             image_path = (image_studio_dir / "edited" / actual_filename).resolve()
             base_subdir = (image_studio_dir / "edited").resolve()
         else:

backend/routers/product_marketing.py

@@ -942,20 +942,9 @@ async def serve_product_avatar(
         if current_user_id != user_id:
             raise HTTPException(status_code=403, detail="Access denied")
         
-        # Restrict to a filename only (no nested paths)
-        requested_name = Path(filename)
-        if requested_name.is_absolute() or requested_name.name != filename:
-            raise HTTPException(status_code=400, detail="Invalid filename")
-        
-        # Locate and validate video file path within user's avatar directory
+        # Locate video file
         base_dir = Path(__file__).parent.parent.parent
-        user_root = (base_dir / "product_avatars" / current_user_id).resolve()
-        video_path = (user_root / requested_name).resolve()
-
-        try:
-            video_path.relative_to(user_root)
-        except ValueError:
-            raise HTTPException(status_code=400, detail="Invalid filename")
+        video_path = base_dir / "product_avatars" / user_id / filename
         
         if not video_path.exists():
             raise HTTPException(status_code=404, detail="Video not found")
@@ -963,7 +952,7 @@ async def serve_product_avatar(
         return FileResponse(
             path=str(video_path),
             media_type="video/mp4",
-            filename=requested_name.name
+            filename=filename
         )
         
     except HTTPException: