PDF-Assit_RAG / backend /app /security.py
Param20h's picture
deploy: pure backend API with keywords fix
7c46845 unverified
Raw
History Blame Contribute Delete
729 Bytes
# Create this new file or append to your existing helpers
from pathlib import Path
from fastapi import HTTPException, status
def verify_secure_sandbox_path(filename: str, sandbox_base_dir: str) -> Path:
"""
Validates that a requested filename stays strictly within the sandbox directory.
Raises a clean 403 Forbidden error if a path traversal attempt is detected.
"""
base_path = Path(sandbox_base_dir).resolve()
target_path = (base_path / filename).resolve()
if not target_path.is_relative_to(base_path):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Access Denied: Invalid resource path mapping."
)
return target_path