From d715a3178a8371de0f981c43b08b7a133e3ab864 Mon Sep 17 00:00:00 2001
From: Andrew Smalley <andrew@csv2.co.uk>
Date: Wed, 18 Feb 2026 15:50:07 +0000
Subject: [PATCH] Potential fix for code scanning alert no. 36: Uncontrolled
 data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 bin/adfmanager.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/bin/adfmanager.py b/bin/adfmanager.py
index aa3693b36..8b48fdf13 100755
--- a/bin/adfmanager.py
+++ b/bin/adfmanager.py
@@ -1701,11 +1701,19 @@ def param(name, default=""):
             path = socket.getfqdn() and path  # noop; keep lint calm
             path = bytes(path, "utf-8").decode("utf-8")
             # we already encoded in JS; parse_qs decodes %xx automatically
-            p = Path(path)
+            base_dir = Path(self.cfg["dir"]).resolve()
+            raw_path = Path(path)
+            if not raw_path.is_absolute():
+                p = (base_dir / raw_path).resolve(strict=False)
+            else:
+                p = raw_path.resolve(strict=False)
+            try:
+                # Ensure the resolved path is within the configured image directory
+                p.relative_to(base_dir)
+            except ValueError:
+                return self._json({"error": "path must be inside image directory"}, code=400)
             if not p.exists():
                 return self._json({"error": f"not found: {p}"}, code=400)
-            if not path_within_dir(Path(self.cfg["dir"]), p):
-                return self._json({"error": "path must be inside image directory"}, code=400)
             status = get_status(self.cfg["host"], self.cfg["port"])
             preferred = int(unit_raw) if unit_raw.isdigit() else None
             unit = pick_unit(preferred, status)