Potential fix for code scanning alert no. 39: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Steve Springett <steve@springett.us>

Author: stevespringett

docgen/static/generate-menu.py

@@ -28,12 +28,14 @@
 
 def validate_input_path(path):
     """Ensure the input file resolves to within the script's directory."""
+    # Resolve symlinks and remove any ".." components to get a canonical path
     resolved = os.path.realpath(path)
     try:
         common = os.path.commonpath([resolved, SCRIPT_DIR])
     except ValueError:
         common = None
-    if common != SCRIPT_DIR:
+    # Require the resolved path to be strictly inside SCRIPT_DIR (not equal to it)
+    if common != SCRIPT_DIR or resolved == SCRIPT_DIR:
         print(f"ERROR: Input file must reside in {SCRIPT_DIR}", file=sys.stderr)
         sys.exit(1)
     return resolved