Resolved CodeQL warnings about log injection and path traversal

Author: tieneupin

src/murfey/server/demo_api.py

@@ -110,7 +110,7 @@ class Settings(BaseSettings):
 
 settings = Settings()
 
-machine_config: dict = {}
+machine_config: dict[str, MachineConfig] = {}
 if settings.murfey_machine_configuration:
     microscope = get_microscope()
     machine_config = from_file(Path(settings.murfey_machine_configuration), microscope)
@@ -1297,6 +1297,12 @@ def suggest_path(
     )
     check_path = check_path.parent / f"{check_path.stem}{count}{check_path.suffix}"
 
+    # Check for path traversal attempt
+    if not str(check_path.resolve()).startswith(
+        str(machine_config[instrument_name].rsync_basepath)
+    ):
+        raise Exception(f"Path traversal attempt detected: {str(check_path)!r}")
+
     # Check previous year to account for the year rolling over during data collection
     if not sanitise_path(check_path).exists():
         base_path_parts = list(params.base_path.parts)
@@ -1313,10 +1319,15 @@ def suggest_path(
             else Path(f"/dls/{get_microscope()}") / base_path
         )
         check_path = check_path.parent / f"{check_path.stem}{count}{check_path.suffix}"
+        # Check for path traversal attempt
+        if not str(check_path.resolve()).startswith(
+            str(machine_config[instrument_name].rsync_basepath)
+        ):
+            raise Exception(f"Path traversal attempt detected: {str(check_path)!r}")
 
         # If visit is not in the previous year either, it's a genuine error
         if not check_path.exists():
-            log_message = (
+            log_message = sanitise(
                 "Unable to find current visit folder under "
                 f"{str(check_path_prev)!r} or {str(check_path)!r}"
             )