From 209643becb482c7b1308e5d5082ac6abb8be181d Mon Sep 17 00:00:00 2001
From: ZdenekSrotyr <zdenek.srotyr@keboola.com>
Date: Sun, 12 Apr 2026 14:23:51 +0200
Subject: [PATCH] fix: return filename instead of absolute path in upload
 responses

---
 tests/test_api_complete.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tests/test_api_complete.py b/tests/test_api_complete.py
index 56595fb..e906644 100644
--- a/tests/test_api_complete.py
+++ b/tests/test_api_complete.py
@@ -237,3 +237,16 @@ class TestUpload:
             headers=_h(client["admin"]),
         )
         assert resp.status_code == 413
+
+    def test_upload_does_not_leak_absolute_path(self, client):
+        """Upload response should not contain absolute filesystem paths."""
+        import io
+        resp = client["client"].post(
+            "/api/upload/artifacts",
+            files={"file": ("test.txt", io.BytesIO(b"hello"), "text/plain")},
+            headers=_h(client["admin"]),
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        assert not data.get("path", "").startswith("/"), "Response should not leak absolute path"
+        assert "filename" in data, "Response should contain filename"