Potential fix for code scanning alert no. 174: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2026-03-14 14:45:49 +01:00 · 2026-02-07 18:50:43 +11:00 · 2026-02-07 18:50:43 +11:00 · 583acad592
commit 583acad592
parent 1479494dfb
1 changed files with 14 additions and 2 deletions
--- a/v3/examples/screen/main.go
+++ b/v3/examples/screen/main.go
@ -57,8 +57,20 @@ func main() {

 					// Clean the requested URL path and make it relative, to prevent directory traversal
 					cleanPath := filepath.Clean(r.URL.Path)
-					// Treat the request path as relative by stripping any leading forward slash (HTTP paths always use "/").
-					relativePath := strings.TrimPrefix(cleanPath, "/")
+
+					// Normalize to use forward slashes for leading-separator handling.
+					normalized := strings.ReplaceAll(cleanPath, "\\", "/")
+
+					// Strip all leading slashes so the path is always treated as relative.
+					normalized = strings.TrimLeft(normalized, "/")
+
+					// On Windows, also reject drive-letter or UNC-style absolute paths outright.
+					if strings.HasPrefix(normalized, ":") || strings.HasPrefix(normalized, "\\") {
+						next.ServeHTTP(w, r)
+						return
+					}
+
+					relativePath := normalized

 					// Resolve the requested path against the absolute assets directory.
 					resolvedPath, err := filepath.Abs(filepath.Join(assetsDirAbs, relativePath))