From 3c371d03f369b70f7958a1a1fa29a629cb379a2e Mon Sep 17 00:00:00 2001
From: Alexander Meissner <alexmeissner@google.com>
Date: Wed, 2 Oct 2024 23:16:54 +0200
Subject: [PATCH] Fix code scanning alert no. 21: Uncontrolled data used in
 path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 api/api/files.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/api/api/files.py b/api/api/files.py
index 7cb22ab..7764720 100644
--- a/api/api/files.py
+++ b/api/api/files.py
@@ -29,6 +29,7 @@
 """This module defines the API routes for file management."""
 
 from flask import Blueprint, jsonify, request, send_file
+from werkzeug.utils import secure_filename
 from google.cloud import storage
 import os
 from api.auth import auth
@@ -74,7 +75,8 @@ def download_file(filename):
         return jsonify({"error": f"File '{filename}' not found"}), 404
 
     # Create a temporary file to store the downloaded content
-    temp_filename = f"/tmp/{filename}"
+    safe_filename = secure_filename(filename)
+    temp_filename = os.path.join("/tmp", safe_filename)
     blob.download_to_filename(temp_filename)
 
     # Send the downloaded file to the client