Potential fix for code scanning alert no. 116: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2026-05-25 17:35:35 +05:30
2 changed files with 15 additions and 4 deletions
--- a/backend/api/content_planning/services/content_strategy/autofill/ai_structured_autofill.py
+++ b/backend/api/content_planning/services/content_strategy/autofill/ai_structured_autofill.py
@@ -499,7 +499,7 @@ Generate the complete JSON with all 30 fields personalized for {website_url}:
        # Log context summary for debugging
        logger.info("AIStructuredAutofillService: context summary | user=%s", user_id)
        logger.info("  - Website analysis exists: %s", bool(context_summary.get('user_profile', {}).get('website_url')))
-        logger.info("  - Research config present: %s", bool(context_summary.get('research_config', {}).get('research_depth')))
+        logger.info("  - Research config: %s", context_summary.get('research_config', {}).get('research_depth', 'None'))
        logger.info("  - API capabilities: %s", len(context_summary.get('api_capabilities', {}).get('providers', [])))
        logger.info("  - Content analysis: %s", bool(context_summary.get('content_analysis')))
        logger.info("  - Audience insights: %s", bool(context_summary.get('audience_insights')))
--- a/backend/routers/product_marketing.py
+++ b/backend/routers/product_marketing.py
@@ -942,9 +942,20 @@ async def serve_product_avatar(
        if current_user_id != user_id:
            raise HTTPException(status_code=403, detail="Access denied")
        
-        # Locate video file
+        # Restrict to a filename only (no nested paths)
+        requested_name = Path(filename)
+        if requested_name.is_absolute() or requested_name.name != filename:
+            raise HTTPException(status_code=400, detail="Invalid filename")
+        
+        # Locate and validate video file path within user's avatar directory
        base_dir = Path(__file__).parent.parent.parent
-        video_path = base_dir / "product_avatars" / user_id / filename
+        user_root = (base_dir / "product_avatars" / current_user_id).resolve()
+        video_path = (user_root / requested_name).resolve()
+
+        try:
+            video_path.relative_to(user_root)
+        except ValueError:
+            raise HTTPException(status_code=400, detail="Invalid filename")
        
        if not video_path.exists():
            raise HTTPException(status_code=404, detail="Video not found")
@@ -952,7 +963,7 @@ async def serve_product_avatar(
        return FileResponse(
            path=str(video_path),
            media_type="video/mp4",
-            filename=filename
+            filename=requested_name.name
        )
        
    except HTTPException: