Spaces:

agents-course
/

Unit4_scoring

Running

App Files Files Community

Jofthomas commited on 6 days ago

Commit

719b8ed

verified ·

1 Parent(s): be83d41

Update main.py

Browse files

Files changed (1) hide show

main.py +3 -20

main.py CHANGED Viewed

@@ -248,25 +248,6 @@ async def startup_event():
              404: {"model": ErrorResponse, "description": "Task ID not found, no file associated, or file missing on server."},
              500: {"model": ErrorResponse, "description": "Server error reading file."}
          })
-async def get_task_file(task_id: str):
-    # ... (endpoint logic) ...
-    try:
-        # --- Ensure it uses the globally defined variable ---
-        abs_base_path = ALLOWED_CACHE_BASE # Uses the variable defined above
-        abs_file_path = os.path.abspath(local_file_path)
-        # Add extra debug logging right before the check
-        logger.debug(f"Security Check - Comparing: file='{abs_file_path}' against base='{abs_base_path}'")
-        if not abs_file_path.startswith(abs_base_path):
-            logger.error(f"SECURITY FAILURE: Path mismatch. File '{abs_file_path}' is NOT within allowed base '{abs_base_path}'.")
-            raise HTTPException(status_code=403, detail="File access denied.")
-        # ... rest of the endpoint ...
-    except Exception as e:
-        # ... error handling ...
-        # Log the base path again in case of error context
-        logger.error(f"Error during file access. Base path check was against: {ALLOWED_CACHE_BASE}")
-        raise e # Or handle appropriately
 async def get_task_file(task_id: str):
     """
     Serves the file associated with a specific task ID.
@@ -278,12 +259,14 @@ async def get_task_file(task_id: str):
         logger.warning(f"File request failed: task_id '{task_id}' not found in file path mapping.")
         raise HTTPException(status_code=404, detail=f"No file path associated with task_id {task_id}.")
     local_file_path = task_file_paths[task_id]
     logger.debug(f"Mapped task_id '{task_id}' to local path: {local_file_path}")
     # --- CRUCIAL SECURITY CHECK ---
     try:
         # Resolve to absolute paths to prevent '..' tricks
         abs_file_path = os.path.abspath(local_file_path)
         abs_base_path = ALLOWED_CACHE_BASE # Already absolute
@@ -305,7 +288,7 @@ async def get_task_file(task_id: str):
     # --- END SECURITY CHECK ---
     # Determine MIME type for the Content-Type header
-    mime_type, _ = mimetypes.guess_type(abs_file_path)
     media_type = mime_type if mime_type else "application/octet-stream" # Default if unknown
     # Extract filename for the Content-Disposition header (suggests filename to browser/client)

              404: {"model": ErrorResponse, "description": "Task ID not found, no file associated, or file missing on server."},
              500: {"model": ErrorResponse, "description": "Server error reading file."}
          })
 async def get_task_file(task_id: str):
     """
     Serves the file associated with a specific task ID.
         logger.warning(f"File request failed: task_id '{task_id}' not found in file path mapping.")
         raise HTTPException(status_code=404, detail=f"No file path associated with task_id {task_id}.")
+    # --- ASSIGNMENT HAPPENS HERE ---
     local_file_path = task_file_paths[task_id]
     logger.debug(f"Mapped task_id '{task_id}' to local path: {local_file_path}")
     # --- CRUCIAL SECURITY CHECK ---
     try:
         # Resolve to absolute paths to prevent '..' tricks
+        # --- local_file_path IS NOW DEFINED before being used ---
         abs_file_path = os.path.abspath(local_file_path)
         abs_base_path = ALLOWED_CACHE_BASE # Already absolute
     # --- END SECURITY CHECK ---
     # Determine MIME type for the Content-Type header
+    mime_type, _ = mimetypes.guess_type(abs_file_path) # Ensure 'import mimetypes' is at the top
     media_type = mime_type if mime_type else "application/octet-stream" # Default if unknown
     # Extract filename for the Content-Disposition header (suggests filename to browser/client)