From cde6d9323a87dcd77416fa10fec24885fd6ba337 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 26 Mar 2026 09:12:54 +0000
Subject: [PATCH] fix: resolve CodeQL alert #28 - Uncontrolled data used in
 path expression

---
 vulnerable_path_traversal.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/vulnerable_path_traversal.py b/vulnerable_path_traversal.py
index 8f83550..487ca3a 100644
--- a/vulnerable_path_traversal.py
+++ b/vulnerable_path_traversal.py
@@ -7,7 +7,10 @@
 def download_file():
     filename = request.args.get('file')
     
-    file_path = os.path.join('/var/www/uploads/', filename)
+    base_dir = '/var/www/uploads/'
+    file_path = os.path.realpath(os.path.join(base_dir, filename))
+    if not file_path.startswith(os.path.realpath(base_dir)):
+        return 'Access denied', 403
     return send_file(file_path)
 
 @app.route('/read')