Intent-Code Divergence
Medium
- Confidence
- 97% confidence
- Finding
- The function claims to only allow reads from the project's output directory, but its actual check only verifies that the target path is under the broader project root. That mismatch means any file anywhere inside the repository can be read if an attacker can influence the filepath argument, potentially exposing configuration, source, secrets, or other sensitive local data.
