fix directory traversal hopefully

app.py

@@ -1,6 +1,6 @@
 from asyncio.streams import StreamReader, StreamWriter
 import re
-from typing import Any, Mapping
+from typing import Any, LiteralString, Mapping
 from flask import Flask, render_template, request, send_file, jsonify
 import os
 import subprocess
@@ -21,6 +21,13 @@ app = Flask(__name__)
 volume: float = 50
 
 
+def get_path(base: Path, file: LiteralString | Path):
+    p = base.resolve().joinpath(Path(file).resolve())
+    print(p)
+    return p
+    
+
+
 def cleanup_unclean():
     if mpv_pidfile.is_file():
         print("Unclean shutdown detected")
@@ -169,7 +176,7 @@ async def route_toggle():
 @app.route("/files/<path:path>", methods=["GET"])
 @app.route("/files")
 def filemgr(path=""):
-    full_path = music_path.joinpath(path)
+    full_path = get_path(music_path, path)
     print(full_path)
     if os.path.isfile(full_path):
         return send_file(full_path)
@@ -256,7 +263,7 @@ async def api_play_track(
     if re.match("^https?://.*", filename_or_url):
         playback_uri = filename_or_url
     else:
-        file_path = music_path.joinpath(filename_or_url)
+        file_path = get_path(music_path, filename_or_url)
         if not file_path.exists():
             return jsonify(error_str.format(filename=filename_or_url)), 404
         playback_uri = str(file_path)
@@ -291,7 +298,7 @@ async def api_play_fx(
     if re.match("^https?://.*", filename_or_url):
         playback_uri = filename_or_url
     else:
-        file_path = fx_path.joinpath(filename_or_url)
+        file_path = get_path(fx_path, filename_or_url)
         if not file_path.exists():
             return jsonify(error_str.format(filename=filename_or_url)), 404
         playback_uri = str(file_path)