Why this matters
The bug. Bash interpolation is dumb string substitution. The path /var/data/$file becomes /var/data/../../etc/passwd when $file is ../../etc/passwd, and cat (rightly) follows the path as the kernel normalizes it.
The fix. basename strips any directory component, leaving just the trailing filename. ${file##*/} is the pure-shell equivalent (longest prefix matching */ deleted). Either way, the resulting path stays anchored under /var/data/.
Heuristic. When a script path concatenates a user value, ask: 'what does .. do here?' If the answer is 'it escapes the safe root', either basename it, resolve to absolute and check the prefix, or run the script in a chroot.
Review heuristic
Whenever filesystem path concatenation meets a request value, verify there's a containment check on the resolved absolute path. The check has to come after normalization and has to fail closed (reject by default), not by string-stripping ...
External reference: CWE-22: Path Traversal.
↳ CWE-22: Path Traversal.