Skip to content

Add file upload/attachments for items#4

Open
emilkvarnhammar wants to merge 1 commit into
masterfrom
feature/file-attachments
Open

Add file upload/attachments for items#4
emilkvarnhammar wants to merge 1 commit into
masterfrom
feature/file-attachments

Conversation

@emilkvarnhammar
Copy link
Copy Markdown

@emilkvarnhammar emilkvarnhammar commented Mar 6, 2026

Summary

  • New Attachment model with file metadata (filename, content_type, size, storage_path)
  • Upload/download/list/delete API endpoints under /items/{id}/attachments/
  • File type validation (JPEG, PNG, GIF, PDF, text) and 10MB size limit
  • Filename sanitization to prevent path traversal attacks
  • Local filesystem storage with per-item directories
  • Cascade delete when parent item is deleted
  • Alembic migration for the attachment table
  • 8 backend tests covering upload, download, delete, permissions, and validation
  • Frontend: AttachmentsList dialog component with upload/download/delete UI
  • Frontend: Manual axios client for attachment endpoints
  • Frontend: Attachments action added to item dropdown menu

Security surface (for threat modeling)

  • File type validation bypass (content-type spoofing)
  • Path traversal via crafted filenames
  • Storage permissions and directory enumeration
  • File size denial of service
  • Unrestricted upload types if allowlist is misconfigured
  • File content vs extension mismatch

Test plan

  • Upload file to own item (success, correct metadata returned)
  • Upload to another user's item (403)
  • Upload disallowed file type (400)
  • Upload oversized file (400)
  • List attachments on item
  • Download attachment (correct content returned)
  • Delete attachment (file removed from disk and DB)
  • Superuser can access any item's attachments

Generated with Claude Code

@emilkvarnhammar @claude
Add file upload/attachments for items
5a598d2 
- New Attachment model with file metadata (filename, content_type, size)
- Upload/download/list/delete API endpoints under /items/{id}/attachments/
- File type validation (images, PDF, text) and size limit (10MB)
- Filename sanitization to prevent path traversal
- Local filesystem storage with per-item directories
- Alembic migration for attachment table with CASCADE delete
- Tests covering upload, download, delete, permissions, and validation
- Frontend: AttachmentsList component with upload/download/delete UI
- Frontend: Manual axios client for attachment endpoints
- Frontend: Attachments action added to item dropdown menu

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 6, 2026
View reviewed changes
Comment thread backend/app/api/routes/attachments.py Dismissed
Comment thread backend/app/api/routes/attachments.py Dismissed
@emilkvarnhammar
Copy link
Copy Markdown
Author

emilkvarnhammar commented Mar 6, 2026

@oplane review

2 similar comments
@emilkvarnhammar
Copy link
Copy Markdown
Author

emilkvarnhammar commented Mar 6, 2026

@oplane review

@emilkvarnhammar
Copy link
Copy Markdown
Author

emilkvarnhammar commented Mar 6, 2026

@oplane review

@oplane-bot-dev
Copy link
Copy Markdown

oplane-bot-dev Bot commented Mar 6, 2026

🚨 Oplane Security Review Complete

Found 10 security requirements in this pull request.

Unresolved Requirements

# Status Requirement Severity
1 🟡 Partially Implemented Path Traversal Prevention for Attachment File Access Critical
2 🔴 Not Implemented Content-Type Validation and Magic Byte Checking for Uploaded Files High
3 🟡 Partially Implemented File Size Limitation and Memory Handling for Uploads Medium
4 🟡 Partially Implemented Content-Disposition and Content-Type Header Validation in FileResponse Medium
5 🔴 Not Implemented Rate Limiting for Attachment Upload Endpoints Low
6 🔴 Not Implemented Virus and Malware Scanning for Uploaded Files Low
7 🔴 Not Implemented Audit Logging for Attachment Operations Medium

Resolved Requirements

# Status Requirement Severity
1 ✅ Implemented Authorization Enforcement for Attachment Endpoints High
2 ✅ Implemented Filename Sanitization for Attachment Uploads High
3 ℹ️ Out of Scope Secure Token Storage for Frontend Authentication Low

📋 View Full Threat Model

Powered by Oplane

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emilkvarnhammar @github-advanced-security