fix(phase1): fix race condition, path traversal, double processing, validation in photo API

This commit is contained in:
2026-04-20 22:39:02 +03:00
parent 92f6977cae
commit af8dcbae3a
3 changed files with 346 additions and 1 deletions

View File

@@ -5,8 +5,10 @@ from typing import List
import json
from slowapi import Limiter
from slowapi.util import get_remote_address
from pathlib import Path
from .. import models, schemas, auth
from ..database import get_db
from ..image_processing import save_image, get_unique_filename
# [H-02] Rate limiter for extract-label endpoint
limiter = Limiter(key_func=get_remote_address)
@@ -238,3 +240,231 @@ def delete_item(
db.delete(db_item)
db.commit()
return {"message": "Item deleted successfully. History logs preserved."}
@router.post("/{item_id}/photo")
async def upload_photo(
item_id: int,
file: UploadFile = File(...),
crop_bounds: str = None,
db: Session = Depends(get_db),
current_user: auth.TokenData = Depends(auth.get_current_user)
):
"""[C-01] Upload and optionally crop photo for item. [FIX-4] Validates crop_bounds before processing."""
# Get item
db_item = db.query(models.Item).filter(models.Item.id == item_id).first()
if not db_item:
raise HTTPException(status_code=404, detail="Item not found")
# [FIX-4] Validate and parse crop_bounds early
crop_bounds_dict = None
if crop_bounds:
try:
crop_bounds_dict = json.loads(crop_bounds)
except json.JSONDecodeError:
raise HTTPException(status_code=400, detail="crop_bounds must be valid JSON")
# [FIX-4] Validate required keys
required_keys = {'x', 'y', 'width', 'height'}
if not required_keys.issubset(crop_bounds_dict.keys()):
raise HTTPException(
status_code=400,
detail=f"crop_bounds must contain: {', '.join(required_keys)}"
)
# [FIX-4] Validate all values are numbers and non-negative
for key in required_keys:
try:
val = float(crop_bounds_dict[key])
if val < 0:
raise HTTPException(
status_code=400,
detail=f"{key} must be >= 0"
)
except (TypeError, ValueError):
raise HTTPException(
status_code=400,
detail=f"{key} must be a number"
)
# [FIX-4] Validate width and height > 0
if crop_bounds_dict['width'] <= 0 or crop_bounds_dict['height'] <= 0:
raise HTTPException(
status_code=400,
detail="width and height must be > 0"
)
# [SECURITY] Validate file type and size
if file.content_type not in _ALLOWED_IMAGE_TYPES:
raise HTTPException(
status_code=status.HTTP_415_UNSUPPORTED_MEDIA_TYPE,
detail=f"File type not allowed: {file.content_type}"
)
contents = await file.read()
if len(contents) > _MAX_IMAGE_SIZE:
raise HTTPException(
status_code=status.HTTP_413_REQUEST_ENTITY_TOO_LARGE,
detail="File exceeds 10MB limit"
)
# Get category for filename
category = db_item.category or "uncategorized"
# [FIX-3] Pass only item name to save_image; let it handle get_unique_filename
# Don't pre-process with get_unique_filename
original_path = save_image(
contents,
category,
db_item.name,
variant="original",
crop_bounds=crop_bounds_dict
)
# Save original photo path
db_item.photo_path = f"/{original_path}"
db.commit()
db.refresh(db_item)
return {
"item_id": db_item.id,
"photo_path": db_item.photo_path,
"message": "Photo uploaded successfully"
}
@router.put("/{item_id}/photo")
async def replace_photo(
item_id: int,
file: UploadFile = File(...),
crop_bounds: str = None,
db: Session = Depends(get_db),
current_user: auth.TokenData = Depends(auth.get_current_user)
):
"""[C-01] Replace photo for item. [FIX-1] Uses missing_ok=True for race-safe deletion."""
# Get item
db_item = db.query(models.Item).filter(models.Item.id == item_id).first()
if not db_item:
raise HTTPException(status_code=404, detail="Item not found")
# [FIX-4] Validate and parse crop_bounds early
crop_bounds_dict = None
if crop_bounds:
try:
crop_bounds_dict = json.loads(crop_bounds)
except json.JSONDecodeError:
raise HTTPException(status_code=400, detail="crop_bounds must be valid JSON")
# [FIX-4] Validate required keys
required_keys = {'x', 'y', 'width', 'height'}
if not required_keys.issubset(crop_bounds_dict.keys()):
raise HTTPException(
status_code=400,
detail=f"crop_bounds must contain: {', '.join(required_keys)}"
)
# [FIX-4] Validate all values are numbers and non-negative
for key in required_keys:
try:
val = float(crop_bounds_dict[key])
if val < 0:
raise HTTPException(
status_code=400,
detail=f"{key} must be >= 0"
)
except (TypeError, ValueError):
raise HTTPException(
status_code=400,
detail=f"{key} must be a number"
)
# [FIX-4] Validate width and height > 0
if crop_bounds_dict['width'] <= 0 or crop_bounds_dict['height'] <= 0:
raise HTTPException(
status_code=400,
detail="width and height must be > 0"
)
# [SECURITY] Validate file type and size
if file.content_type not in _ALLOWED_IMAGE_TYPES:
raise HTTPException(
status_code=status.HTTP_415_UNSUPPORTED_MEDIA_TYPE,
detail=f"File type not allowed: {file.content_type}"
)
contents = await file.read()
if len(contents) > _MAX_IMAGE_SIZE:
raise HTTPException(
status_code=status.HTTP_413_REQUEST_ENTITY_TOO_LARGE,
detail="File exceeds 10MB limit"
)
# [FIX-1] Delete old photos using missing_ok=True (race-safe)
if db_item.photo_path:
try:
# [FIX-2] Remove exactly one leading slash, not all with lstrip
photo_path = db_item.photo_path
if photo_path.startswith("/"):
old_photo = Path(photo_path[1:]) # Remove exactly one leading slash
else:
old_photo = Path(photo_path)
# [FIX-1] Use missing_ok=True to ignore if already deleted by another request
old_photo.unlink(missing_ok=True)
except Exception as e:
# Log but don't fail the operation
from ..logger import log
log.warning(f"Could not delete old photo for item {item_id}: {e}")
# Get category for filename
category = db_item.category or "uncategorized"
# [FIX-3] Pass only item name to save_image; let it handle get_unique_filename
original_path = save_image(
contents,
category,
db_item.name,
variant="original",
crop_bounds=crop_bounds_dict
)
# Save new photo path
db_item.photo_path = f"/{original_path}"
db.commit()
db.refresh(db_item)
return {
"item_id": db_item.id,
"photo_path": db_item.photo_path,
"message": "Photo replaced successfully"
}
@router.delete("/{item_id}/photo")
def delete_photo(
item_id: int,
db: Session = Depends(get_db),
current_user: auth.TokenData = Depends(auth.get_current_user)
):
"""[C-01] Delete photo for item."""
db_item = db.query(models.Item).filter(models.Item.id == item_id).first()
if not db_item:
raise HTTPException(status_code=404, detail="Item not found")
if not db_item.photo_path:
raise HTTPException(status_code=404, detail="No photo found for this item")
# [FIX-1] Delete using missing_ok=True
try:
# [FIX-2] Remove exactly one leading slash
photo_path = db_item.photo_path
if photo_path.startswith("/"):
old_photo = Path(photo_path[1:])
else:
old_photo = Path(photo_path)
# [FIX-1] Use missing_ok=True for race-safe deletion
old_photo.unlink(missing_ok=True)
except Exception as e:
from ..logger import log
log.warning(f"Could not delete photo for item {item_id}: {e}")
db_item.photo_path = None
db.commit()
return {"message": "Photo deleted successfully"}