Potential fix for code scanning alert no. 1: Uncontrolled data used in path expression

[Bajahaw]

Potential fix for https://github.com/Bajahaw/ai-ui/security/code-scanning/1

In general, the fix is to ensure that any filesystem path derived from r.URL.Path is constrained to a known safe directory. That typically means joining r.URL.Path to h.staticDir, resolving it to an absolute path, and confirming that the result is still under h.staticDir before using it. If the check fails, the handler should return an error (or the SPA shell) instead of touching the filesystem.

For this specific code, the simplest, non‑functional change is to: (1) derive the candidate path using filepath.Join(h.staticDir, r.URL.Path), (2) normalize it with filepath.Abs, (3) ensure it still lives under h.staticDir (using a normalized absolute version of h.staticDir), and (4) use that safe, normalized path for os.Stat. If the path escapes the static directory or normalization fails, we treat it as “not a real file” and fall back to index.html (the existing behavior for non‑existent files). This avoids leaking whether arbitrary files outside h.staticDir exist, and keeps the rest of the behavior intact. To implement this, we need to import "path/filepath" and compute staticAbs once per request before the check.

Concretely:

• Add path/filepath to the imports in backend/cmd/main.go.
• In spaHandler.ServeHTTP, replace the path := "." + r.URL.Path and direct os.Stat(h.staticDir + "/" + r.URL.Path) with logic that:
  • Computes staticAbs, err := filepath.Abs(h.staticDir) and requested, err := filepath.Abs(filepath.Join(staticAbs, r.URL.Path)).
  • If any error occurs or requested is not under staticAbs, treat it as not a real file and serve index.html.
  • Otherwise, os.Stat(requested) to decide whether to serve the SPA shell or let h.fs handle the static file.
• The unused path variable can be removed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Bajahaw]

To fix this, keep using absolute, normalized paths but strengthen the containment check between requestedAbs and staticAbs in a clear, standard way. Specifically, use strings.HasPrefix and ensure that either requestedAbs is exactly staticAbs or that it starts with staticAbs followed by the OS-specific path separator. This guarantees that /var/www/static2 is not treated as contained in /var/www/static, and it makes the intent explicit. Additionally, use filepath.Join instead of concatenating h.staticDir + "/index.html" so that path construction is correct and OS-independent.

Concretely, in backend/cmd/main.go:

• Import the standard library package strings.
• In spaHandler.ServeHTTP:
  • Compute indexFile := filepath.Join(staticAbs, "index.html") (after you know staticAbs), and reuse it for all fallback calls to http.ServeFile.
  • Replace the manual prefix check len(requestedAbs) < len(staticAbs) || requestedAbs[:len(staticAbs)] != staticAbs with a more robust boundary-aware prefix check using strings.HasPrefix and string(os.PathSeparator).

This preserves existing behavior (serving static files when inside the designated directory and index.html otherwise) while removing the path traversal risk and aligning with common secure path-handling patterns.