From eccfb3dd6e369ba069696161a979623547a9ede7 Mon Sep 17 00:00:00 2001
From: yash gajjar <gajjaryash9999@gmail.com>
Date: Wed, 27 May 2026 14:34:33 +0530
Subject: [PATCH 1/3] fix: prevent path traversal in zip member validation

---
 backend/app/routers/analyze.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/backend/app/routers/analyze.py b/backend/app/routers/analyze.py
index 234a6873..37792546 100644
--- a/backend/app/routers/analyze.py
+++ b/backend/app/routers/analyze.py
@@ -131,7 +131,10 @@ def _project_grade(score: int) -> str:
 
 
 def _safe_zip_name(name: str) -> str:
-    return name.replace("\\", "/").lstrip("/")
+    clean_name = name.replace("\\", "/").lstrip("/")
+    if ".." in PurePosixPath(clean_name).parts:
+        raise ValueError("Invalid path: contains '..'")
+    return clean_name
 
 
 def _is_safe_member(name: str) -> bool:

From 9364295f6059d0a3bf81d88c2d019470574e2249 Mon Sep 17 00:00:00 2001
From: yash gajjar <gajjaryash9999@gmail.com>
Date: Wed, 27 May 2026 14:42:26 +0530
Subject: [PATCH 2/3] fix: add non-root user to Dockerfile and
 backend/Dockerfile

---
 Dockerfile         | 4 ++++
 backend/Dockerfile | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index f349935b..c220a35e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,5 +20,9 @@ COPY frontend/ ./frontend/
 # Expose port
 EXPOSE 8000
 
+# Run as non-root user
+RUN adduser --disabled-password --gecos "" appuser
+USER appuser
+
 # Run
 CMD ["uvicorn", "backend.app.main:app", "--host", "0.0.0.0", "--port", "8000"]
\ No newline at end of file
diff --git a/backend/Dockerfile b/backend/Dockerfile
index f349935b..c220a35e 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -20,5 +20,9 @@ COPY frontend/ ./frontend/
 # Expose port
 EXPOSE 8000
 
+# Run as non-root user
+RUN adduser --disabled-password --gecos "" appuser
+USER appuser
+
 # Run
 CMD ["uvicorn", "backend.app.main:app", "--host", "0.0.0.0", "--port", "8000"]
\ No newline at end of file

From d04d9c9f4a7e1332210a48430a6935e3535852ba Mon Sep 17 00:00:00 2001
From: yash gajjar <gajjaryash9999@gmail.com>
Date: Fri, 29 May 2026 01:30:33 +0530
Subject: [PATCH 3/3] revert: remove analyze.py changes from dockerfile branch

---
 backend/app/routers/analyze.py | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/backend/app/routers/analyze.py b/backend/app/routers/analyze.py
index 37792546..234a6873 100644
--- a/backend/app/routers/analyze.py
+++ b/backend/app/routers/analyze.py
@@ -131,10 +131,7 @@ def _project_grade(score: int) -> str:
 
 
 def _safe_zip_name(name: str) -> str:
-    clean_name = name.replace("\\", "/").lstrip("/")
-    if ".." in PurePosixPath(clean_name).parts:
-        raise ValueError("Invalid path: contains '..'")
-    return clean_name
+    return name.replace("\\", "/").lstrip("/")
 
 
 def _is_safe_member(name: str) -> bool: