From e6caf0d72300b9ad8b8ffb06390bc7c10c5229ec Mon Sep 17 00:00:00 2001
From: "Alexandre G.-Raymond" <alex@ndre.gr>
Date: Wed, 3 Dec 2025 21:23:49 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 1: Uncontrolled
 data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 shabda/web.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/shabda/web.py b/shabda/web.py
index 2450cda..1c4831f 100644
--- a/shabda/web.py
+++ b/shabda/web.py
@@ -17,6 +17,7 @@
     after_this_request,
 )
 from werkzeug.exceptions import BadRequest, HTTPException
+from werkzeug.utils import secure_filename
 from shabda.dj import Dj
 
 
@@ -146,11 +147,12 @@ def remove_file(response):
 def speech_zip(definition):
     """Download a zip archive"""
     definition = definition.replace(" ", "_")
+    definition_secure = secure_filename(definition)
     try:
         words = dj.parse_definition(definition)
     except ValueError as ex:
         raise BadRequest(ex) from ex
-    tmpfile = tempfile.gettempdir() + "/" + definition + ".zip"
+    tmpfile = os.path.join(tempfile.gettempdir(), definition_secure + ".zip")
     with ZipFile(tmpfile, "w") as zipfile:
         for word, number in words.items():
             samples = dj.list(word, number, soundtype="tts")