Exploiting Unknown Syntaxes - File scheme

Exploiting Unknown Syntaxes - File scheme

The web application offers an online game where you have to capture the flag and avoid all hidden mines at all costs. will you be able to capture the flag?

It seems that this web application is not properly validating the given filename from a player. How can we bypass the validation filename check and capture the flag?

Note: The flag can be found in the file: /tmp/flag.txt

Goal

Find a way to bypass the filename validation filter and read arbitrary files on the vulnerable application and capture the flag!