fix: Potential fix for code scanning alert no. 75: Uncontrolled data used in path expression (#421)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot <[email protected]>

Author: 3 people

src/server/routers/ingest.py

@@ -112,7 +112,10 @@ async def download_ingest(ingest_id: str) -> FileResponse:
     - **HTTPException**: **403** - the process lacks permission to read the directory or file
 
     """
-    directory = TMP_BASE_PATH / ingest_id
+    # Normalize and validate the directory path
+    directory = (TMP_BASE_PATH / ingest_id).resolve()
+    if not str(directory).startswith(str(TMP_BASE_PATH.resolve())):
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"Invalid ingest ID: {ingest_id!r}")
 
     if not directory.is_dir():
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"Digest {ingest_id!r} not found")