colin-d-fried · colin-d-fried · Mar 26, 2026 · devin-ai-integration · Mar 26, 2026 · cursor
diff --git a/vulnerable_path_traversal.py b/vulnerable_path_traversal.py
@@ -7,7 +7,10 @@
 def download_file():
     filename = request.args.get('file')
 
-    file_path = os.path.join('/var/www/uploads/', filename)
+    base_dir = '/var/www/uploads/'
+    file_path = os.path.realpath(os.path.join(base_dir, filename))
+    if not file_path.startswith(os.path.realpath(base_dir)):
-    if not file_path.startswith(os.path.realpath(base_dir)):
+    if not file_path.startswith(os.path.realpath(base_dir) + os.sep):
-    if not file_path.startswith(os.path.realpath(base_dir)):
+    if not file_path.startswith(os.path.realpath(base_dir) + os.sep):
+        return 'Access denied', 403
     return send_file(file_path)
 
 @app.route('/read')