This is an automated email from the ASF dual-hosted git repository. akm pushed a commit to branch relpath-docs-721 in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit f8ae462a5a9b21a6fa45de086bb6b68994bbc851 Author: Andrew K. Musselman <[email protected]> AuthorDate: Tue Mar 10 14:36:19 2026 -0700 Adding to docs; fixes #721 --- atr/docs/input-validation.md | 6 +++++- atr/docs/user-interface.md | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/atr/docs/input-validation.md b/atr/docs/input-validation.md index d4a1f01e..2468bc27 100644 --- a/atr/docs/input-validation.md +++ b/atr/docs/input-validation.md @@ -4,7 +4,7 @@ **Prev**: `3.13.` [Authorization security](authorization-security) -**Next**: `3.15.` [TLS Security Configuration](tls-security-configuration) +**Next**: (none) **Sections**: @@ -274,6 +274,10 @@ Path traversal is prevented by: * Validating that paths remain within expected directories * Rejecting file names containing path separators +For form fields that accept file or directory paths, always use `form.RelPath` (or `form.RelPathList` for multiple paths). These types automatically call [`to_relpath()`](/ref/atr/form.py:to_relpath), which rejects path traversal sequences, absolute paths, and empty values at the Pydantic validation layer. This is the preferred approach because it prevents path traversal before the handler code runs. + +For cases outside of form validation (e.g., URL route parameters), use [`form.to_relpath()`](/ref/atr/form.py:to_relpath) directly, or validate manually: + ```python import pathlib diff --git a/atr/docs/user-interface.md b/atr/docs/user-interface.md index a27b984a..30d5df83 100644 --- a/atr/docs/user-interface.md +++ b/atr/docs/user-interface.md @@ -83,6 +83,8 @@ Fields use Pydantic type annotations to define their data type: * `form.StrList` - multiple checkboxes that collect strings * `form.File` - single file upload * `form.FileList` - multiple file upload +* `form.RelPath` - validated relative file path (rejects path traversal such as `..` and absolute paths via `to_relpath()`) +* `form.RelPathList` - list of validated relative file paths * `form.Enum[EnumType]` - dropdown select from enum values * `form.Set[EnumType]` - multiple checkboxes from enum values --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
