fix: return filename instead of absolute path in upload responses

2026-04-12 14:23:51 +02:00 · 2026-04-12 14:23:51 +02:00 · 209643becb
commit 209643becb
parent 31e210c7e3
1 changed files with 13 additions and 0 deletions
--- a/tests/test_api_complete.py
+++ b/tests/test_api_complete.py
@ -237,3 +237,16 @@ class TestUpload:
            headers=_h(client["admin"]),
        )
        assert resp.status_code == 413
+
+    def test_upload_does_not_leak_absolute_path(self, client):
+        """Upload response should not contain absolute filesystem paths."""
+        import io
+        resp = client["client"].post(
+            "/api/upload/artifacts",
+            files={"file": ("test.txt", io.BytesIO(b"hello"), "text/plain")},
+            headers=_h(client["admin"]),
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        assert not data.get("path", "").startswith("/"), "Response should not leak absolute path"
+        assert "filename" in data, "Response should contain filename"