From c55dd021961b6cd53e63845084520d0d8eb1cc57 Mon Sep 17 00:00:00 2001
From: ZdenekSrotyr <zdenek.srotyr@keboola.com>
Date: Thu, 9 Apr 2026 16:31:46 +0200
Subject: [PATCH] fix: stop leaking server file paths in upload responses

Return filename instead of full server-side path in upload_session
and upload_artifact responses.
---
 app/api/upload.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/api/upload.py b/app/api/upload.py
index f7eb1d7..88ea9b7 100644
--- a/app/api/upload.py
+++ b/app/api/upload.py
@@ -34,7 +34,7 @@ async def upload_session(
     if len(content) > MAX_UPLOAD_SIZE:
         raise HTTPException(status_code=413, detail=f"File too large (max {MAX_UPLOAD_SIZE // 1024 // 1024}MB)")
     target.write_bytes(content)
-    return {"status": "ok", "path": str(target), "size": len(content)}
+    return {"status": "ok", "filename": filename, "size": len(content)}
 
 
 @router.post("/artifacts")
@@ -56,7 +56,7 @@ async def upload_artifact(
     if len(content) > MAX_UPLOAD_SIZE:
         raise HTTPException(status_code=413, detail=f"File too large (max {MAX_UPLOAD_SIZE // 1024 // 1024}MB)")
     target.write_bytes(content)
-    return {"status": "ok", "path": str(target), "size": len(content)}
+    return {"status": "ok", "filename": filename, "size": len(content)}
 
 
 class LocalMdRequest(BaseModel):