From e1ad6b57087f6979e9b27e31f93afe0ebd9cd7db Mon Sep 17 00:00:00 2001
From: Rajeshcn26 <55257003+Rajeshcn26@users.noreply.github.com>
Date: Tue, 23 Dec 2025 12:51:43 +0530
Subject: [PATCH] Potential fix for code scanning alert no. 24: Uncontrolled
 data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 Controllers/VulnerableController.cs | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/Controllers/VulnerableController.cs b/Controllers/VulnerableController.cs
index e4bf24f..34a6ed4 100644
--- a/Controllers/VulnerableController.cs
+++ b/Controllers/VulnerableController.cs
@@ -54,8 +54,18 @@ public IActionResult PingServer(string hostname)
         [HttpGet("download")]
         public IActionResult DownloadFile(string filename)
         {
-            // Vulnerable: No path validation
-            var filePath = $"/var/www/files/{filename}";
+            // Validate and normalize the requested file path to prevent path traversal
+            var baseDirectory = "/var/www/files";
+            var baseDirectoryFullPath = System.IO.Path.GetFullPath(baseDirectory);
+            var combinedPath = System.IO.Path.Combine(baseDirectoryFullPath, filename ?? string.Empty);
+            var filePath = System.IO.Path.GetFullPath(combinedPath);
+
+            // Ensure the resolved path is still within the intended base directory
+            if (!filePath.StartsWith(baseDirectoryFullPath + System.IO.Path.DirectorySeparatorChar))
+            {
+                return BadRequest("Invalid file path.");
+            }
+
             if (System.IO.File.Exists(filePath))
             {
                 var fileBytes = System.IO.File.ReadAllBytes(filePath);