Quick fix - adding attachments back in#346
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| else: | ||
| attachments = None | ||
|
|
||
| metadata_file.save(metadata_file.filename) |
| xde.run(filenames, params_from_request['sheet_name'], data_cols_offset=2) | ||
| print(filenames) | ||
| for data_filename in filenames[1:]: | ||
| os.remove(data_filename) |
| fj_pass = params_from_request['fj_pass'], | ||
| fj_token = params_from_request['fj_token']) | ||
| except AttributeError as e: | ||
| os.remove(metadata_file.filename) |
| os.remove(metadata_file.filename) | ||
| return jsonify({"error": str(e)}), 400 | ||
| except Exception as e: | ||
| os.remove(metadata_file.filename) |
| "fj_url": fj_url, | ||
| "status": "success" | ||
| } | ||
| os.remove(metadata_file.filename) |
|
Azure Static Web Apps: Your stage site is ready! Visit it here: https://witty-hill-08172a210-346.centralus.5.azurestaticapps.net |
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 49678e0cb6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| else: | ||
| attachments = None | ||
|
|
||
| metadata_file.save(metadata_file.filename) |
There was a problem hiding this comment.
Using metadata_file.filename directly as a filesystem path allows a client-controlled multipart filename (for example containing ../) to overwrite or delete arbitrary files reachable by the server process. This commit introduced multiple raw save()/remove() calls based on untrusted names, so a crafted upload can escape the intended working area; Flask/Werkzeug guidance requires secure_filename (and a controlled upload directory) before writing paths.
Useful? React with 👍 / 👎.
| file.save(file.filename) | ||
| filenames.append(file.filename) | ||
| xde = tricahue.XDE() | ||
| xde.run(filenames, params_from_request['sheet_name'], data_cols_offset=2) |
There was a problem hiding this comment.
When Plate_Reader_Output is present, xde.run(...) executes before the try block that handles failures and deletes temp files, so any XDE error exits early with an unhandled 500 and leaves the saved metadata/plate-reader files on disk. This is a regression from the new upload flow and can accumulate orphaned files under repeated bad uploads.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This PR updates the Flask upload endpoint implementation to re-enable passing attachment files into the SynBioHub/Flapjack upload flow and to optionally incorporate plate reader output into the metadata spreadsheet before uploading.
Changes:
- Saves the uploaded metadata spreadsheet to disk and passes its path into
tricahue.XDC(...)along withattachments. - Adds optional handling for
Plate_Reader_Outputfiles, runningtricahue.XDE().run(...)prior to upload and deleting the plate reader files afterward. - Adds cleanup attempts for the saved metadata file on success and on exceptions.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| metadata_file.save(metadata_file.filename) | ||
|
|
| filenames.append(file.filename) | ||
| xde = tricahue.XDE() | ||
| xde.run(filenames, params_from_request['sheet_name'], data_cols_offset=2) | ||
| print(filenames) |
| xde.run(filenames, params_from_request['sheet_name'], data_cols_offset=2) | ||
| print(filenames) | ||
| for data_filename in filenames[1:]: | ||
| os.remove(data_filename) |
| for file in files.getlist("Plate_Reader_Output"): | ||
| # TODO - adapt XDE to work with the file object to avoid unneccesary writes | ||
| # For now: | ||
| file.save(file.filename) | ||
| filenames.append(file.filename) |
| xde.run(filenames, params_from_request['sheet_name'], data_cols_offset=2) | ||
| print(filenames) | ||
| for data_filename in filenames[1:]: | ||
| os.remove(data_filename) | ||
|
|
| os.remove(metadata_file.filename) | ||
| return jsonify({"error": str(e)}), 400 | ||
| except Exception as e: | ||
| os.remove(metadata_file.filename) | ||
| return jsonify({"error": str(e)}), 500 |
No description provided.