Fix code scanning alert no. 39: Uncontrolled data used in path expression (#2173)

Killklli · github-advanced-security[bot] · web-flow · commit 7997869b8269 · 2024-11-11T19:57:33.000-05:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/runner.py b/runner.py
@@ -12,6 +12,7 @@
 from io import BytesIO
 from multiprocessing import Process, Queue
 from os import environ, listdir, makedirs, path, remove, walk
+from werkzeug.utils import secure_filename
 from queue import Empty
 
 from apscheduler.schedulers.background import BackgroundScheduler
@@ -514,11 +515,11 @@ def get_seed():
     hash = request.args.get("hash")
     # check if hash contains special characters not in an approved list.
     if all(c in "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_=" for c in hash):
-        file_name = hash
+        file_name = secure_filename(hash)
     else:
         return make_response(json.dumps({"error": "error"}), 205)
-    fullpath = path.realpath(path.join("generated_seeds/", str(file_name) + ".json"))
-    if not fullpath.startswith(path.realpath("generated_seeds/")):
+    fullpath = path.normpath(path.join("generated_seeds/", str(file_name) + ".json"))
+    if not fullpath.startswith(path.normpath("generated_seeds/")):
         raise Exception("not allowed")
     # Check if the file exists
     if path.isfile(fullpath):
