Upload folder using huggingface_hub
Browse files- web/app.py +1 -1
- web/routes/api.py +1 -1
web/app.py
CHANGED
|
@@ -73,7 +73,7 @@ def create_app() -> FastAPI:
|
|
| 73 |
app.add_middleware(
|
| 74 |
CORSMiddleware,
|
| 75 |
allow_origins=["*"],
|
| 76 |
-
allow_credentials=
|
| 77 |
allow_methods=["*"],
|
| 78 |
allow_headers=["*"],
|
| 79 |
)
|
|
|
|
| 73 |
app.add_middleware(
|
| 74 |
CORSMiddleware,
|
| 75 |
allow_origins=["*"],
|
| 76 |
+
allow_credentials=False,
|
| 77 |
allow_methods=["*"],
|
| 78 |
allow_headers=["*"],
|
| 79 |
)
|
web/routes/api.py
CHANGED
|
@@ -127,7 +127,7 @@ async def download_dataset(path: str = Query(..., description="Path to Zarr data
|
|
| 127 |
data_dir = (PROJECT_ROOT / "data").resolve()
|
| 128 |
|
| 129 |
# Security: only allow paths under PROJECT_ROOT/data
|
| 130 |
-
if not
|
| 131 |
raise HTTPException(status_code=403, detail="Access denied: path outside data directory")
|
| 132 |
|
| 133 |
if not dataset_path.exists():
|
|
|
|
| 127 |
data_dir = (PROJECT_ROOT / "data").resolve()
|
| 128 |
|
| 129 |
# Security: only allow paths under PROJECT_ROOT/data
|
| 130 |
+
if not dataset_path.is_relative_to(data_dir):
|
| 131 |
raise HTTPException(status_code=403, detail="Access denied: path outside data directory")
|
| 132 |
|
| 133 |
if not dataset_path.exists():
|