From 3f8c3d288586266de80c2a849de82ccb6dc246fb Mon Sep 17 00:00:00 2001
From: Aaron Schneider <90160014+schneidergithub@users.noreply.github.com>
Date: Tue, 17 Feb 2026 21:14:58 -0500
Subject: [PATCH 1/3] Potential fix for code scanning alert no. 142:
 Uncontrolled data used in path expression

If running locally as root or super-user (your own computer), this is not a big deal.  However, on restricted computers, this is a security risk and considered best practice.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 acestep/api/train_api_service.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/acestep/api/train_api_service.py b/acestep/api/train_api_service.py
index f22e9649..1de6060d 100644
--- a/acestep/api/train_api_service.py
+++ b/acestep/api/train_api_service.py
@@ -174,10 +174,19 @@ async def export_lora(request: ExportLoRARequest, _: None = Depends(verify_api_k
 
         try:
             export_path = request.export_path.strip()
+            # Constrain export_path to a safe base directory and prevent path traversal
+            safe_base = os.path.abspath("./exports")
+            export_path = os.path.abspath(os.path.join(safe_base, export_path))
+            if not export_path.startswith(safe_base + os.sep) and export_path != safe_base:
+                raise HTTPException(status_code=400, detail="Invalid export path")
+
             os.makedirs(os.path.dirname(export_path) if os.path.dirname(export_path) else ".", exist_ok=True)
             if os.path.exists(export_path):
                 shutil.rmtree(export_path)
             shutil.copytree(source_path, export_path)
             return wrap_response({"message": "LoRA exported successfully", "export_path": export_path, "source": source_path})
+        except HTTPException:
+            # Re-raise HTTP exceptions to preserve intended status codes
+            raise
         except Exception as exc:
             return wrap_response(None, code=500, error=f"Export failed: {exc}")

From 6e813f4b5fc55825c26358576b605fd203fb0ede Mon Sep 17 00:00:00 2001
From: Aaron Schneider <90160014+schneidergithub@users.noreply.github.com>
Date: Tue, 17 Feb 2026 21:20:47 -0500
Subject: [PATCH 2/3] Update acestep/api/train_api_service.py

First commit was too focused, this will fix another alert too.

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 acestep/api/train_api_service.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/acestep/api/train_api_service.py b/acestep/api/train_api_service.py
index 1de6060d..a4abd266 100644
--- a/acestep/api/train_api_service.py
+++ b/acestep/api/train_api_service.py
@@ -177,10 +177,10 @@ async def export_lora(request: ExportLoRARequest, _: None = Depends(verify_api_k
             # Constrain export_path to a safe base directory and prevent path traversal
             safe_base = os.path.abspath("./exports")
             export_path = os.path.abspath(os.path.join(safe_base, export_path))
-            if not export_path.startswith(safe_base + os.sep) and export_path != safe_base:
+            if not export_path.startswith(safe_base + os.sep):
                 raise HTTPException(status_code=400, detail="Invalid export path")
 
-            os.makedirs(os.path.dirname(export_path) if os.path.dirname(export_path) else ".", exist_ok=True)
+            os.makedirs(os.path.dirname(export_path), exist_ok=True)
             if os.path.exists(export_path):
                 shutil.rmtree(export_path)
             shutil.copytree(source_path, export_path)

From 2ac30cec8697fc1c8346cb91b96c82ee98edfcfb Mon Sep 17 00:00:00 2001
From: Aaron Schneider <90160014+schneidergithub@users.noreply.github.com>
Date: Tue, 17 Feb 2026 21:22:45 -0500
Subject: [PATCH 3/3] Update acestep/api/train_api_service.py

good catch

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
---
 acestep/api/train_api_service.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/acestep/api/train_api_service.py b/acestep/api/train_api_service.py
index a4abd266..e370b747 100644
--- a/acestep/api/train_api_service.py
+++ b/acestep/api/train_api_service.py
@@ -176,8 +176,10 @@ async def export_lora(request: ExportLoRARequest, _: None = Depends(verify_api_k
             export_path = request.export_path.strip()
             # Constrain export_path to a safe base directory and prevent path traversal
             safe_base = os.path.abspath("./exports")
+            # Strip leading separators to prevent os.path.join from treating input as absolute
+            export_path = export_path.lstrip("/").lstrip("\\")
             export_path = os.path.abspath(os.path.join(safe_base, export_path))
-            if not export_path.startswith(safe_base + os.sep):
+            if not export_path.startswith(safe_base + os.sep) and export_path != safe_base:
                 raise HTTPException(status_code=400, detail="Invalid export path")
 
             os.makedirs(os.path.dirname(export_path), exist_ok=True)