Simple upload files #455
Merged
Simple upload files #455
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment has been minimized.
This comment has been minimized.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
sallyom
force-pushed
the
simple-upload-files
branch
4 times, most recently
from
ff0b24e to
8a7769e
Compare
This comment was marked as outdated.
This comment was marked as outdated.
sallyom
force-pushed
the
simple-upload-files
branch
from
8a7769e to
bca02c1
Compare
This comment was marked as outdated.
This comment was marked as outdated.
sallyom
force-pushed
the
simple-upload-files
branch
from
bca02c1 to
c527be6
Compare
sallyom
force-pushed
the
simple-upload-files
branch
from
09d900e to
0a0b091
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Contributor
|
See full review in next comment due to character limits |
This comment was marked as outdated.
This comment was marked as outdated.
sallyom
force-pushed
the
simple-upload-files
branch
from
5ad21df to
6d2492e
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Add file upload functionality to sessions, allowing users to upload files from local machine or URL to the workspace. Files are uploaded to the file-uploads directory and accessible to Claude Code runners. - Backend: Auto-spawn temp-content pod when service unavailable (202 Accepted) - Operator: Support temp pods for Pending sessions, prevent PVC mount conflicts - Frontend: Upload modal with local/URL tabs, integrated in File Explorer and Add Context modal - Files uploaded to /workspace/file-uploads/ directory Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: sallyom <somalley@redhat.com>
Add "File Uploads" option to the directory selector dropdown so users can navigate to the file-uploads directory and see their uploaded files. - Add file-uploads option to directoryOptions array - Add CloudUpload icon for file-uploads type in dropdown - Files will appear even if directory is empty (shows empty state) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: sallyom <somalley@redhat.com>
This commit adds comprehensive file upload and management capabilities: ## Upload Functionality - Users can upload files from local machine or URL via upload modal - Files stored in workspace/file-uploads/ directory - Modal accessible from Add Context window and File Explorer - Auto-retry logic when content service is starting (202 Accepted) - Temp pod spawning for Pending sessions to enable pre-upload ## Context Visualization - Context accordion shows combined repos + uploaded files - Badge displays total context count (repos + files) - Repos: GitBranch icon with URL - Files: CloudUpload icon with size - Files can be removed via X button ## File Explorer Integration - File Uploads directory visible in directory selector dropdown - Always shown even when empty - Same browsing/viewing as other directories ## Backend Architecture - Added DeleteSessionWorkspaceFile handler in sessions.go - Added ContentDelete handler in new content.go for content service - DELETE route: /workspace/*path - Proper JSON responses for frontend compatibility ## Frontend Architecture - New workspace API route with GET/PUT/DELETE support - Upload modal with local file and URL tabs - Remove file mutation with proper refetch logic - TypeScript types updated for file-uploads directory ## Operator Changes - Support for temp pods in Pending sessions - Critical fix: Delete temp pod before Job to avoid PVC mount conflicts - TerminationGracePeriodSeconds=0 for instant cleanup Co-authored-by: Claude Code Runner Signed-off-by: Sally O'Malley <somalley@redhat.com> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Detect binary content via Content-Type header or UTF-8 validation - Auto-encode binary files (images, PDFs, zips) as base64 - Keep text files as utf8 for readability - Content service already supports base64 decoding - Fixes PNG upload corruption issue Supported binary types: - image/* (PNG, JPG, GIF, etc.) - application/octet-stream - application/pdf - application/zip - Any non-UTF-8 content Signed-off-by: Sally O'Malley <somalley@redhat.com> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: sallyom <somalley@redhat.com>
Signed-off-by: sallyom <somalley@redhat.com>
Signed-off-by: sallyom <somalley@redhat.com>
Signed-off-by: sallyom <somalley@redhat.com> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add path traversal validation with explicit .. checks and path.Clean() - Move authentication validation to happen immediately before any operations - Verify all errors are properly handled (no ignored error values) Fixes path traversal vulnerability in PutSessionWorkspaceFile and DeleteSessionWorkspaceFile by validating paths stay within workspace directory. Corrects authentication check order to validate user tokens before RBAC checks or service lookups. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: sallyom <somalley@redhat.com>
sallyom
force-pushed
the
simple-upload-files
branch
from
6d2492e to
0ddd633
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Signed-off-by: sallyom <somalley@redhat.com>
This comment was marked as outdated.
This comment was marked as outdated.
Sanitize backend error messages before returning to client to prevent potential token or sensitive data leakage. Following defense-in-depth security principles: - Log full error details server-side for debugging - Return generic error messages to client - Remove 'details' field from error responses This addresses PR review feedback identifying risk of exposing sensitive backend error content (including tokens) to the client. Changes: - Upload endpoint (local): Log errors server-side, return generic message - Upload endpoint (URL): Log errors server-side, return generic message - Catch-all handler: Remove error details from response 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This comment was marked as outdated.
This comment was marked as outdated.
Expand allowed file types when magic byte detection fails to support common text-based formats that don't have detectable magic bytes: - JSON (application/json) - XML (application/xml) - YAML (application/yaml, application/x-yaml, text/yaml) - CSV (text/csv, application/csv) - JavaScript (application/javascript) Previously, files like JSON, XML, CSV, and YAML would be rejected with "Unable to verify file type" because they lack magic bytes for the file-type library to detect. This fix allows these common developer file types while still maintaining security by validating their claimed MIME types against an allowlist. Security: Still prevents binary file type spoofing by only allowing safe text-based MIME types when detection fails. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Two security and debuggability improvements: 1. Remove sensitive details from file validation error responses - Remove 'details' field that exposed internal error messages - Log full error server-side for debugging - Return generic "File type validation failed" to client - Prevents information leakage about file content mismatches 2. Log compression errors before throwing - Empty catch block was swallowing error details - Now logs "Image compression failed:" with full error - Maintains debuggability while still returning user-friendly message - Critical for troubleshooting compression issues Both changes follow defense-in-depth principles: full logging server-side, generic messages client-side. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
Claude Code ReviewSummaryThis PR implements file upload functionality for AgenticSession workspaces with strong security measures. The implementation adds path traversal protection, RBAC validation, magic byte content-type verification, SSRF prevention, automatic image compression, and proper error handling. Overall, the code quality is excellent with robust security patterns and comprehensive validation. Issues by Severity🚫 Blocker IssuesNone - No blocking issues found. 🔴 Critical IssuesNone - No critical issues found. All security patterns are correctly implemented. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Contributor
🌟 Excellent Code Quality1. Error Handling
2. User Token Authentication
3. Frontend Implementation
4. Testing
|
This comment was marked as outdated.
This comment was marked as outdated.
Contributor
🌟 Architectural Excellence1. Temp Content Pod Pattern
2. Binary File Handling
3. Path Sanitization
|
This comment was marked as outdated.
This comment was marked as outdated.
bobbravo2
approved these changes
Dec 16, 2025
andybraren
pushed a commit
to andybraren/vTeam
that referenced
this pull request
Dec 16, 2025
Signed-off-by: sallyom <somalley@redhat.com> Signed-off-by: Sally O'Malley <somalley@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.