Merge pull request #81 from karam-ajaj/alert-autofix-6

karam-ajaj · web-flow · commit ce4233c15c2b · 2026-01-02T19:16:34.000+01:00
Potential fix for code scanning alert no. 6: Uncontrolled data used in path expression
diff --git a/config/scripts/app.py b/config/scripts/app.py
@@ -277,7 +277,12 @@ def event_generator():
             safe_container = validate_container_name(container)
             cmd = ["docker", "logs", "-f", "--tail", "10", safe_container]
         else:
-            filepath = f"{LOGS_DIR}/{filename}"
+            base_dir = os.path.abspath(LOGS_DIR)
+            filepath = os.path.normpath(os.path.join(base_dir, filename))
+            # Ensure the resolved path stays within the logs directory
+            if os.path.commonpath([base_dir, filepath]) != base_dir:
+                yield "data: [ERROR] Invalid log file path\n\n"
+                return
             if not os.path.exists(filepath):
                 yield f"data: [ERROR] File not found: {filepath}\n\n"
                 return
