From 00be32f4d2e436db6081e72306c9390b273f3f6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Do=C4=9Fukan=20=C3=9Crker?= <dogukanurker@icloud.com>
Date: Tue, 17 Dec 2024 14:48:40 +0300
Subject: [PATCH] Fix code scanning alert no. 91: Uncontrolled data used in
 path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 utils/flashMessage.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/utils/flashMessage.py b/utils/flashMessage.py
index d161950d..4038b23e 100644
--- a/utils/flashMessage.py
+++ b/utils/flashMessage.py
@@ -1,3 +1,4 @@
+import os
 from modules import (
     load,  # Import the load function from the modules module
     flash,  # Import the flash function from the modules module
@@ -21,9 +22,10 @@ def flashMessage(
         None
     """
     text = None  # Initialize the text variable
-    translationFile = (
-        f"./translations/{language}.json"  # Define the path to the translation file
-    )
+    base_path = "./translations"
+    translationFile = os.path.normpath(os.path.join(base_path, f"{language}.json"))  # Define the path to the translation file
+    if not translationFile.startswith(base_path):
+        raise Exception("Invalid language path")
     match exists(translationFile):  # Check if the translation file exists
         case True:
             # If the translation file exists, open and load the JSON data