Potential fix for code scanning alert no. 107: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2026-05-25 17:37:07 +05:30
1 changed files with 9 additions and 0 deletions
--- a/backend/api/images.py
+++ b/backend/api/images.py
@@ -1048,12 +1048,21 @@ async def serve_image_studio_image(
            raise HTTPException(status_code=403, detail="Access denied: image not found in your library")
        
        # Determine if it's an edited image or regular image
+        # Validate user-controlled path input before filesystem path construction
+        image_filename_path = Path(image_filename)
+        if image_filename_path.is_absolute() or any(part in ("", ".", "..") for part in image_filename_path.parts):
+            raise HTTPException(status_code=403, detail="Access denied: Invalid image path")
+
        base_dir = Path(__file__).parent.parent
        image_studio_dir = (base_dir / "image_studio_images").resolve()
        
        if image_filename.startswith("edited/"):
            # Remove "edited/" prefix and serve from edited directory
            actual_filename = image_filename.replace("edited/", "", 1)
+            actual_filename_path = Path(actual_filename)
+            if actual_filename_path.is_absolute() or any(part in ("", ".", "..") for part in actual_filename_path.parts):
+                raise HTTPException(status_code=403, detail="Access denied: Invalid image path")
+
            image_path = (image_studio_dir / "edited" / actual_filename).resolve()
            base_subdir = (image_studio_dir / "edited").resolve()
        else: