fix path problem for images

Author: MRGuziX

agents/crewai/websearch_agent/main.py

@@ -383,7 +383,10 @@ async def playground():
 @app.get("/images/{filename:path}", include_in_schema=False)
 async def serve_image(filename: str):
     """Serve images from the project-level images directory."""
-    file_path = _IMAGES_DIR / filename
+    base = _IMAGES_DIR.resolve()
+    file_path = (base / filename).resolve()
+    if not file_path.is_relative_to(base):
+        raise HTTPException(status_code=404, detail="Image not found")
     if not file_path.is_file():
         raise HTTPException(status_code=404, detail="Image not found")
     return FileResponse(file_path)

agents/langgraph/agentic_rag/main.py

@@ -407,7 +407,10 @@ async def playground():
 @app.get("/images/{filename:path}", include_in_schema=False)
 async def serve_image(filename: str):
     """Serve images from the project-level images directory."""
-    file_path = _IMAGES_DIR / filename
+    base = _IMAGES_DIR.resolve()
+    file_path = (base / filename).resolve()
+    if not file_path.is_relative_to(base):
+        raise HTTPException(status_code=404, detail="Image not found")
     if not file_path.is_file():
         raise HTTPException(status_code=404, detail="Image not found")
     return FileResponse(file_path)

agents/langgraph/react_agent/main.py

@@ -403,7 +403,10 @@ async def playground():
 @app.get("/images/{filename:path}", include_in_schema=False)
 async def serve_image(filename: str):
     """Serve images from the project-level images directory."""
-    file_path = _IMAGES_DIR / filename
+    base = _IMAGES_DIR.resolve()
+    file_path = (base / filename).resolve()
+    if not file_path.is_relative_to(base):
+        raise HTTPException(status_code=404, detail="Image not found")
     if not file_path.is_file():
         raise HTTPException(status_code=404, detail="Image not found")
     return FileResponse(file_path)

agents/langgraph/react_with_database_memory/main.py

@@ -484,7 +484,10 @@ async def playground():
 @app.get("/images/{filename:path}", include_in_schema=False)
 async def serve_image(filename: str):
     """Serve images from the project-level images directory."""
-    file_path = _IMAGES_DIR / filename
+    base = _IMAGES_DIR.resolve()
+    file_path = (base / filename).resolve()
+    if not file_path.is_relative_to(base):
+        raise HTTPException(status_code=404, detail="Image not found")
     if not file_path.is_file():
         raise HTTPException(status_code=404, detail="Image not found")
     return FileResponse(file_path)

agents/llamaindex/websearch_agent/main.py

@@ -469,7 +469,10 @@ async def playground():
 @app.get("/images/{filename:path}", include_in_schema=False)
 async def serve_image(filename: str):
     """Serve images from the project-level images directory."""
-    file_path = _IMAGES_DIR / filename
+    base = _IMAGES_DIR.resolve()
+    file_path = (base / filename).resolve()
+    if not file_path.is_relative_to(base):
+        raise HTTPException(status_code=404, detail="Image not found")
     if not file_path.is_file():
         raise HTTPException(status_code=404, detail="Image not found")
     return FileResponse(file_path)

agents/vanilla_python/openai_responses_agent/main.py

@@ -404,7 +404,10 @@ async def playground():
 @app.get("/images/{filename:path}", include_in_schema=False)
 async def serve_image(filename: str):
     """Serve images from the project-level images directory."""
-    file_path = _IMAGES_DIR / filename
+    base = _IMAGES_DIR.resolve()
+    file_path = (base / filename).resolve()
+    if not file_path.is_relative_to(base):
+        raise HTTPException(status_code=404, detail="Image not found")
     if not file_path.is_file():
         raise HTTPException(status_code=404, detail="Image not found")
     return FileResponse(file_path)