From 0cfe16da7cd0c1775e462ddce84f028263e9e89e Mon Sep 17 00:00:00 2001
From: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com>
Date: Mon, 30 Sep 2024 17:05:16 -0700
Subject: [PATCH] Fix code scanning alert no. 28: Uncontrolled data used in
 path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com>
---
 nettacker/api/core.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/nettacker/api/core.py b/nettacker/api/core.py
index 82163c1e0..bb2ca4037 100644
--- a/nettacker/api/core.py
+++ b/nettacker/api/core.py
@@ -117,16 +117,17 @@ def get_file(filename):
     Returns:
         content of the file or abort(404)
     """
-    if not os.path.normpath(filename).startswith(str(Config.path.web_static_dir)):
+    base_path = str(Config.path.web_static_dir)
+    fullpath = os.path.normpath(os.path.join(base_path, filename))
+    if not fullpath.startswith(base_path):
         abort(404)
     try:
-        return open(filename, "rb").read()
+        return open(fullpath, "rb").read()
     except ValueError:
         abort(404)
     except IOError:
         abort(404)
 
-
 def api_key_is_valid(app, flask_request):
     """
     check the validity of API key