-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web UI dataset #617
base: main
Are you sure you want to change the base?
Web UI dataset #617
Changes from 47 commits
040d446
97e6bd7
0382684
55fe60e
fb1bca3
64cf53e
36611e1
56fa5c4
8563887
07ce4ab
b260401
b7980a8
ca356cc
6efd724
319b1bf
58008f3
375d89e
c6d8a56
74f7743
b312882
0e282cb
6b28ebb
881b281
e28107b
5b718eb
0f95027
444786e
e273577
eea1e77
7b68911
8251c42
b669358
039f496
c225a5e
ad0451f
12ffef2
cedad96
3ac8a74
6170b53
53b557b
2b73c4f
75d6776
c47a751
d837837
c58efd8
f2f25c0
4da2628
8e73e54
a78ef8d
64f26ff
14f87a9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
from datetime import datetime | ||
from typing import Optional | ||
|
||
from medperf.entities.schemas import ApprovableSchema, MedperfSchema | ||
|
||
|
||
class Association(MedperfSchema, ApprovableSchema): | ||
id: int | ||
metadata: dict | ||
dataset: Optional[int] | ||
model_mlcube: Optional[int] | ||
benchmark: int | ||
initiated_by: int | ||
created_at: Optional[datetime] | ||
modified_at: Optional[datetime] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# medperf/web_ui/api/routes.py | ||
import os | ||
from fastapi import APIRouter, HTTPException, Query | ||
from fastapi.responses import JSONResponse | ||
|
||
router = APIRouter() | ||
|
||
BASE_DIR = os.getcwd() # Restrict access to this base directory | ||
|
||
|
||
@router.get("/browse") | ||
def browse_directory(path: str = Query(...)): | ||
full_path = os.path.join(BASE_DIR, path) | ||
os.path.join(BASE_DIR, path) | ||
|
||
if not os.path.exists(full_path) or not os.path.isdir(full_path): | ||
Check failure Code scanning / CodeQL Uncontrolled data used in path expression High
This path depends on a
user-provided value Error loading related location Loading |
||
raise HTTPException(status_code=404, detail="Directory not found") | ||
|
||
# Ensure path is within the base directory | ||
if not os.path.commonpath([BASE_DIR, full_path]).startswith(BASE_DIR): | ||
raise HTTPException(status_code=403, detail="Access denied") | ||
|
||
# List directories inside the path | ||
folders = [] | ||
for item in os.listdir(full_path): | ||
Check failure Code scanning / CodeQL Uncontrolled data used in path expression High
This path depends on a
user-provided value Error loading related location Loading |
||
item_path = os.path.join(full_path, item) | ||
if os.path.isdir(item_path): | ||
Check failure Code scanning / CodeQL Uncontrolled data used in path expression High
This path depends on a
user-provided value Error loading related location Loading |
||
folders.append({"name": item, "path": os.path.relpath(item_path, BASE_DIR)}) | ||
|
||
# Add the parent directory if not at the root | ||
parent = os.path.dirname(full_path) if full_path != BASE_DIR else None | ||
|
||
return JSONResponse({"folders": folders, "parent": parent}) |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function lists all files and folders on the server side. So, yes, it is expected to use user's given path to list its content (though still may be dangerous? I don't know)