update

app.py

@@ -259,16 +259,25 @@ def completed(username):
         logger.exception(f"An error occurred in the completed route: {e}")
         return "An error occurred", 500
 
+
 @app.route('/visualizations/<path:filename>')
 def send_visualization(filename):
     logger.info(f"Attempting to serve file: {filename}")
     # Ensure the path is safe and doesn't allow access to files outside the intended directory
-    safe_path = os.path.join(os.getcwd(), filename)
-    directory = os.path.dirname(safe_path)
-    file_name = os.path.basename(safe_path)
+    base_dir = os.getcwd()
+    file_path = os.path.normpath(os.path.join(base_dir, filename))
+    if not file_path.startswith(base_dir):
+        return "Access denied", 403
+
+    if not os.path.exists(file_path):
+        return "File not found", 404
+
+    directory = os.path.dirname(file_path)
+    file_name = os.path.basename(file_path)
     logger.info(f"Serving file from directory: {directory}, filename: {file_name}")
     return send_from_directory(directory, file_name)
 
+
 if __name__ == "__main__":
     os.makedirs('session_data', exist_ok=True)  # Ensure the directory for session files exists
     app.run(host="0.0.0.0", port=7860, debug=True)