Security Alert: Path Traversal Vulnerability Exposes Server Files in `app.py` Log Viewer

A high-severity path traversal vulnerability has been identified in a web application's log viewer, allowing attackers to read arbitrary files on the server. The flaw resides in the `show_logs` route within the `app.py` file, where user-supplied input is used directly to open files without any sanitization. By manipulating the 'file' GET parameter, an attacker can escape the intended log directory and access sensitive system files, such as `/etc/passwd`, by submitting a path like `../../../../etc/passwd`.

The vulnerable code, found on line 235, directly passes the unsanitized `log_path` variable into the `open()` function. This pattern, classified as CWE-22, represents a critical failure in input validation. The application's exception handling does not mitigate the core vulnerability, merely catching errors after the unauthorized access attempt has been made. This creates a direct channel for data exfiltration from the underlying server environment.

This vulnerability poses a significant risk to any deployment of the affected application, potentially leading to credential theft, configuration exposure, and further system compromise. The suggested fix involves implementing strict path sanitization, ensuring requested files are confined to an allowed directory, and actively rejecting any input containing path traversal sequences. Until patched, the endpoint remains an open door for server-side file read attacks.