(tooling-trusted-releases) branch main updated: Adding to docs; fixes #721 (#854)

Tue, 10 Mar 2026 14:49:32 -0700 

This is an automated email from the ASF dual-hosted git repository.

akm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git


The following commit(s) were added to refs/heads/main by this push:
     new aec5b1eb Adding to docs; fixes #721 (#854)
aec5b1eb is described below

commit aec5b1eb2899f83b348f5192cf28e27e48404dec
Author: Andrew Musselman <[email protected]>
AuthorDate: Tue Mar 10 14:49:16 2026 -0700

    Adding to docs; fixes #721 (#854)
---
 atr/docs/input-validation.md | 4 ++++
 atr/docs/user-interface.md   | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/atr/docs/input-validation.md b/atr/docs/input-validation.md
index 9d6d7b9c..74dc4ff7 100644
--- a/atr/docs/input-validation.md
+++ b/atr/docs/input-validation.md
@@ -274,6 +274,10 @@ Path traversal is prevented by:
 * Validating that paths remain within expected directories
 * Rejecting file names containing path separators
 
+For form fields that accept file or directory paths, always use `form.RelPath` 
(or `form.RelPathList` for multiple paths). These types automatically call 
[`to_relpath()`](/ref/atr/form.py:to_relpath), which rejects path traversal 
sequences, absolute paths, and empty values at the Pydantic validation layer. 
This is the preferred approach because it prevents path traversal before the 
handler code runs.
+
+For cases outside of form validation (e.g., URL route parameters), use 
[`form.to_relpath()`](/ref/atr/form.py:to_relpath) directly, or validate 
manually:
+
 ```python
 import pathlib
 
diff --git a/atr/docs/user-interface.md b/atr/docs/user-interface.md
index a27b984a..30d5df83 100644
--- a/atr/docs/user-interface.md
+++ b/atr/docs/user-interface.md
@@ -83,6 +83,8 @@ Fields use Pydantic type annotations to define their data 
type:
 * `form.StrList` - multiple checkboxes that collect strings
 * `form.File` - single file upload
 * `form.FileList` - multiple file upload
+* `form.RelPath` - validated relative file path (rejects path traversal such 
as `..` and absolute paths via `to_relpath()`)
+* `form.RelPathList` - list of validated relative file paths
 * `form.Enum[EnumType]` - dropdown select from enum values
 * `form.Set[EnumType]` - multiple checkboxes from enum values
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to