Merge pull request #7 from Eldritchy/alert-autofix-4

Fix code scanning alert no. 4: Uncontrolled data used in path expression
VelisCore · Dec 7, 2024 · 74e62b2 · 74e62b2
2 parents 66e3444 + 13c21e0
commit 74e62b2
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/app/web.py b/app/web.py
@@ -55,7 +55,11 @@ def view_page():
         return jsonify({"error": "Full URL is required"}), 400
 
     sanitized = sanitize_domain_or_url(domain_or_url)
-    domain_db_path = os.path.join(BASE_DIR, f'{sanitized}.db')
+    domain_db_path = os.path.normpath(os.path.join(BASE_DIR, f'{sanitized}.db'))
+
+    if not domain_db_path.startswith(BASE_DIR):
+        logging.error(f"Attempted access to a path outside the base directory: {domain_db_path}")
+        return jsonify({"error": "Invalid path"}), 400
 
     if not os.path.exists(domain_db_path):
         logging.error(f"No database found for URL: {domain_or_url}")