From e3625c6742e07c37da83f03f2bef487b8842584e Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 5 May 2026 17:54:27 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20=F0=9F=94=92=20secure=20get=5Fuploaded?=
 =?UTF-8?q?=5Ffile=20against=20path=20traversal?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Use pathlib.Path.resolve() and is_relative_to() for robust containment check.
- Ensure requested path is a file and not the upload directory itself.
- Add explicit check for empty filenames from _safe_filename.
- Improve error reporting with appropriate HTTP status codes (400, 403, 404).

Co-authored-by: DivyanshuChipa <211708943+DivyanshuChipa@users.noreply.github.com>
---
 backend/files.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/backend/files.py b/backend/files.py
index 0fee296..46d298f 100644
--- a/backend/files.py
+++ b/backend/files.py
@@ -38,7 +38,16 @@ async def upload_file(file: UploadFile):
 @router.get("/uploads/{filename}")
 async def get_uploaded_file(filename: str):
     filename = _safe_filename(filename)
-    path = UPLOAD_DIR / filename
-    if not path.exists():
+    if not filename:
+        raise HTTPException(status_code=400, detail="Invalid filename")
+
+    path = (UPLOAD_DIR / filename).resolve()
+    base = UPLOAD_DIR.resolve()
+
+    if not path.is_relative_to(base) or path == base:
+        raise HTTPException(status_code=403, detail="Access denied")
+
+    if not path.exists() or not path.is_file():
         raise HTTPException(status_code=404, detail="Not found")
+
     return FileResponse(path)