File tree Expand file tree Collapse file tree 1 file changed +5
-4
lines changed Expand file tree Collapse file tree 1 file changed +5
-4
lines changed Original file line number Diff line number Diff line change @@ -78,11 +78,12 @@ async def serve_app(full_path: str):
7878 - Return 404 on suspicious access instead of leaking details.
7979 """
8080 try :
81- candidate = (BUILD_DIR_PATH / full_path ).resolve ()
81+ # Normalize and join to avoid odd path segments, then resolve.
82+ # This mirrors the suggested remediation (normpath + join) but
83+ # uses Path.relative_to() as the final containment check.
84+ normalized = os .path .normpath (os .path .join (BUILD_DIR , full_path ))
85+ candidate = Path (normalized ).resolve ()
8286
83- # Compute relative parts and block dotfiles anywhere in path.
84- # Use Path.relative_to() as the canonical containment check; it
85- # raises an exception if `candidate` is outside `BUILD_DIR_PATH`.
8687 try :
8788 rel_parts = candidate .relative_to (BUILD_DIR_PATH ).parts
8889 except Exception :
You can’t perform that action at this time.
0 commit comments