Potential fix for code scanning alert no. 16: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: svenseeberg

opendrift_leeway_webgui/leeway/views.py

@@ -143,10 +143,12 @@ def get(self, request, path):
         base_dir = Path(settings.SIMULATION_OUTPUT).resolve()
 
         # Only allow a flat filename — no directory traversal or path separators
-        if "/" in path or "\\" in path:
+        candidate = Path(path)
+        # Reject anything that is not a simple name (e.g. contains directories or is absolute)
+        if candidate.name != path or candidate.is_absolute():
             raise Http404
 
-        file_path = (base_dir / path).resolve()
+        file_path = (base_dir / candidate).resolve()
 
         # Ensure the resolved path is inside the simulation output directory
         try: