From d464649072b46b0f111d3d290380fe5ae282148b Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Thu, 16 Jan 2025 11:40:35 -0500 Subject: [PATCH] Potential fix for code scanning alert no. 20: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- freezing/web/views/api.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freezing/web/views/api.py b/freezing/web/views/api.py index 2ce5176..ad9df29 100644 --- a/freezing/web/views/api.py +++ b/freezing/web/views/api.py @@ -412,7 +412,7 @@ def _get_cached(key: str, compute): cache_file = Path(os.path.normpath(Path(cache_dir).joinpath(key))).resolve() try: - if not str(cache_file).startswith(str(Path(cache_dir).resolve()) + os.sep): + if os.path.commonpath([str(cache_file), str(Path(cache_dir).resolve())]) != str(Path(cache_dir).resolve()): raise Exception("Invalid cache file path") if cache_file.is_file(): time_stamp = datetime.datetime.fromtimestamp(cache_file.stat().st_mtime) @@ -422,7 +422,7 @@ def _get_cached(key: str, compute): content = compute() cache_file.parent.mkdir(parents=True, exist_ok=True) - if not str(cache_file).startswith(str(Path(cache_dir).resolve()) + os.sep): + if os.path.commonpath([str(cache_file), str(Path(cache_dir).resolve())]) != str(Path(cache_dir).resolve()): raise Exception("Invalid cache file path") cache_file.write_bytes(content)