Deduplicate remote upload_dir walk, cloud-tab layout, and SSRF checks

JE-Chen · JE-Chen · commit 5da2ddbdf619 · 2026-04-21T16:10:49.000+08:00
* Add remote/_upload_tree.walk_and_upload, the shared rglob-and-upload
  helper the s3, azure, dropbox, and sftp backends now use instead of
  re-implementing the same walker.
* Introduce ui/tabs/base.RemoteBackendTab — the cloud/SFTP tabs no
  longer repeat the same QVBoxLayout + _init_group + _ops_group scaffold
  or carry per-tab _button helpers; they inherit from RemoteBackendTab
  and use BaseTab.make_button.
* Split url_validator.validate_http_url into _require_host /
  _resolve_ips / _is_disallowed_ip helpers so the top-level function
  stops tripping the cyclomatic-complexity and boolean-expressions
  thresholds.
diff --git a/automation_file/remote/_upload_tree.py b/automation_file/remote/_upload_tree.py
@@ -0,0 +1,39 @@
+"""Shared directory-walker for cloud/SFTP ``*_upload_dir`` operations.
+
+Every backend implements the same pattern: iterate ``Path.rglob('*')``,
+skip non-files, compute a POSIX-relative remote identifier, call
+``upload_file`` for each, and collect the successful remote keys. This
+module factors that walk out so each backend only supplies the two
+parts that actually differ — how to assemble the remote identifier
+and which per-file upload function to call.
+"""
+
+from __future__ import annotations
+
+from collections.abc import Callable
+from pathlib import Path
+
+
+def walk_and_upload(
+    source: Path,
+    make_remote: Callable[[str], str],
+    upload_one: Callable[[Path, str], bool],
+) -> list[str]:
+    """Return the list of remote identifiers successfully uploaded from ``source``.
+
+    ``make_remote`` is called with the POSIX relative path of each file
+    (no leading slash) and must return the backend-specific remote key.
+    ``upload_one`` receives ``(local_path, remote_key)`` and returns True
+    on success. Per-file failures are not raised — they are simply
+    omitted from the returned list, matching the existing backend
+    contract.
+    """
+    uploaded: list[str] = []
+    for entry in source.rglob("*"):
+        if not entry.is_file():
+            continue
+        rel = entry.relative_to(source).as_posix()
+        remote = make_remote(rel)
+        if upload_one(entry, remote):
+            uploaded.append(remote)
+    return uploaded
diff --git a/automation_file/remote/azure_blob/upload_ops.py b/automation_file/remote/azure_blob/upload_ops.py
@@ -6,6 +6,7 @@
 
 from automation_file.exceptions import DirNotExistsException, FileNotExistsException
 from automation_file.logging_config import file_automation_logger
+from automation_file.remote._upload_tree import walk_and_upload
 from automation_file.remote.azure_blob.client import azure_blob_instance
 
 
@@ -45,15 +46,12 @@ def azure_blob_upload_dir(
     source = Path(dir_path)
     if not source.is_dir():
         raise DirNotExistsException(str(source))
-    uploaded: list[str] = []
     prefix = name_prefix.rstrip("/")
-    for entry in source.rglob("*"):
-        if not entry.is_file():
-            continue
-        rel = entry.relative_to(source).as_posix()
-        blob_name = f"{prefix}/{rel}" if prefix else rel
-        if azure_blob_upload_file(str(entry), container, blob_name):
-            uploaded.append(blob_name)
+    uploaded = walk_and_upload(
+        source,
+        lambda rel: f"{prefix}/{rel}" if prefix else rel,
+        lambda local, blob_name: azure_blob_upload_file(str(local), container, blob_name),
+    )
     file_automation_logger.info(
         "azure_blob_upload_dir: %s -> %s/%s (%d files)",
         source,
diff --git a/automation_file/remote/dropbox_api/upload_ops.py b/automation_file/remote/dropbox_api/upload_ops.py
@@ -6,6 +6,7 @@
 
 from automation_file.exceptions import DirNotExistsException, FileNotExistsException
 from automation_file.logging_config import file_automation_logger
+from automation_file.remote._upload_tree import walk_and_upload
 from automation_file.remote.dropbox_api.client import dropbox_instance
 
 
@@ -48,15 +49,12 @@ def dropbox_upload_dir(dir_path: str, remote_prefix: str = "/") -> list[str]:
     source = Path(dir_path)
     if not source.is_dir():
         raise DirNotExistsException(str(source))
-    uploaded: list[str] = []
     prefix = remote_prefix.rstrip("/")
-    for entry in source.rglob("*"):
-        if not entry.is_file():
-            continue
-        rel = entry.relative_to(source).as_posix()
-        remote = f"{prefix}/{rel}" if prefix else f"/{rel}"
-        if dropbox_upload_file(str(entry), remote):
-            uploaded.append(remote)
+    uploaded = walk_and_upload(
+        source,
+        lambda rel: f"{prefix}/{rel}" if prefix else f"/{rel}",
+        lambda local, remote: dropbox_upload_file(str(local), remote),
+    )
     file_automation_logger.info(
         "dropbox_upload_dir: %s -> %s (%d files)",
         source,
diff --git a/automation_file/remote/s3/upload_ops.py b/automation_file/remote/s3/upload_ops.py
@@ -6,6 +6,7 @@
 
 from automation_file.exceptions import DirNotExistsException, FileNotExistsException
 from automation_file.logging_config import file_automation_logger
+from automation_file.remote._upload_tree import walk_and_upload
 from automation_file.remote.s3.client import s3_instance
 
 
@@ -29,15 +30,12 @@ def s3_upload_dir(dir_path: str, bucket: str, key_prefix: str = "") -> list[str]
     source = Path(dir_path)
     if not source.is_dir():
         raise DirNotExistsException(str(source))
-    uploaded: list[str] = []
     prefix = key_prefix.rstrip("/")
-    for entry in source.rglob("*"):
-        if not entry.is_file():
-            continue
-        rel = entry.relative_to(source).as_posix()
-        key = f"{prefix}/{rel}" if prefix else rel
-        if s3_upload_file(str(entry), bucket, key):
-            uploaded.append(key)
+    uploaded = walk_and_upload(
+        source,
+        lambda rel: f"{prefix}/{rel}" if prefix else rel,
+        lambda local, key: s3_upload_file(str(local), bucket, key),
+    )
     file_automation_logger.info(
         "s3_upload_dir: %s -> s3://%s/%s (%d files)",
         source,
diff --git a/automation_file/remote/sftp/upload_ops.py b/automation_file/remote/sftp/upload_ops.py
@@ -7,6 +7,7 @@
 
 from automation_file.exceptions import DirNotExistsException, FileNotExistsException
 from automation_file.logging_config import file_automation_logger
+from automation_file.remote._upload_tree import walk_and_upload
 from automation_file.remote.sftp.client import sftp_instance
 
 
@@ -46,15 +47,12 @@ def sftp_upload_dir(dir_path: str, remote_prefix: str) -> list[str]:
     source = Path(dir_path)
     if not source.is_dir():
         raise DirNotExistsException(str(source))
-    uploaded: list[str] = []
     prefix = remote_prefix.rstrip("/")
-    for entry in source.rglob("*"):
-        if not entry.is_file():
-            continue
-        rel = entry.relative_to(source).as_posix()
-        remote = f"{prefix}/{rel}" if prefix else rel
-        if sftp_upload_file(str(entry), remote):
-            uploaded.append(remote)
+    uploaded = walk_and_upload(
+        source,
+        lambda rel: f"{prefix}/{rel}" if prefix else rel,
+        lambda local, remote: sftp_upload_file(str(local), remote),
+    )
     file_automation_logger.info(
         "sftp_upload_dir: %s -> %s (%d files)",
         source,
diff --git a/automation_file/remote/url_validator.py b/automation_file/remote/url_validator.py
@@ -16,36 +16,45 @@
 _ALLOWED_SCHEMES = frozenset({"http", "https"})
 
 
-def validate_http_url(url: str) -> str:
-    """Return ``url`` if safe; raise :class:`UrlValidationException` otherwise."""
+def _require_host(url: str) -> str:
     if not isinstance(url, str) or not url:
         raise UrlValidationException("url must be a non-empty string")
-
     parsed = urlparse(url)
     if parsed.scheme not in _ALLOWED_SCHEMES:
         raise UrlValidationException(f"disallowed scheme: {parsed.scheme!r}")
     host = parsed.hostname
     if not host:
         raise UrlValidationException("url must contain a host")
+    return host
 
+
+def _resolve_ips(host: str) -> list[str]:
     try:
-        addr_infos = socket.getaddrinfo(host, None)
+        infos = socket.getaddrinfo(host, None)
     except socket.gaierror as error:
         raise UrlValidationException(f"cannot resolve host: {host}") from error
+    return [str(info[4][0]) for info in infos]
+
 
-    for info in addr_infos:
-        ip_str = info[4][0]
+def _is_disallowed_ip(ip_obj: ipaddress.IPv4Address | ipaddress.IPv6Address) -> bool:
+    return (
+        ip_obj.is_private
+        or ip_obj.is_loopback
+        or ip_obj.is_link_local
+        or ip_obj.is_reserved
+        or ip_obj.is_multicast
+        or ip_obj.is_unspecified
+    )
+
+
+def validate_http_url(url: str) -> str:
+    """Return ``url`` if safe; raise :class:`UrlValidationException` otherwise."""
+    host = _require_host(url)
+    for ip_str in _resolve_ips(host):
         try:
             ip_obj = ipaddress.ip_address(ip_str)
         except ValueError as error:
             raise UrlValidationException(f"cannot parse resolved ip: {ip_str}") from error
-        if (
-            ip_obj.is_private
-            or ip_obj.is_loopback
-            or ip_obj.is_link_local
-            or ip_obj.is_reserved
-            or ip_obj.is_multicast
-            or ip_obj.is_unspecified
-        ):
+        if _is_disallowed_ip(ip_obj):
             raise UrlValidationException(f"disallowed ip: {ip_str}")
     return url
diff --git a/automation_file/ui/tabs/azure_tab.py b/automation_file/ui/tabs/azure_tab.py
@@ -7,7 +7,6 @@
     QGroupBox,
     QLineEdit,
     QPushButton,
-    QVBoxLayout,
 )
 
 from automation_file.remote.azure_blob.client import azure_blob_instance
@@ -18,19 +17,12 @@
     azure_blob_upload_dir,
     azure_blob_upload_file,
 )
-from automation_file.ui.tabs.base import BaseTab
+from automation_file.ui.tabs.base import RemoteBackendTab
 
 
-class AzureBlobTab(BaseTab):
+class AzureBlobTab(RemoteBackendTab):
     """Form-driven Azure Blob operations."""
 
-    def __init__(self, log, pool) -> None:
-        super().__init__(log, pool)
-        root = QVBoxLayout(self)
-        root.addWidget(self._init_group())
-        root.addWidget(self._ops_group())
-        root.addStretch()
-
     def _init_group(self) -> QGroupBox:
         box = QGroupBox("Client")
         form = QFormLayout(box)
@@ -53,19 +45,13 @@ def _ops_group(self) -> QGroupBox:
         form.addRow("Local path", self._local)
         form.addRow("Container", self._container)
         form.addRow("Blob name / prefix", self._blob)
-        form.addRow(self._button("Upload file", self._on_upload_file))
-        form.addRow(self._button("Upload dir", self._on_upload_dir))
-        form.addRow(self._button("Download to local", self._on_download))
-        form.addRow(self._button("Delete blob", self._on_delete))
-        form.addRow(self._button("List container", self._on_list))
+        form.addRow(self.make_button("Upload file", self._on_upload_file))
+        form.addRow(self.make_button("Upload dir", self._on_upload_dir))
+        form.addRow(self.make_button("Download to local", self._on_download))
+        form.addRow(self.make_button("Delete blob", self._on_delete))
+        form.addRow(self.make_button("List container", self._on_list))
         return box
 
-    @staticmethod
-    def _button(label: str, handler) -> QPushButton:
-        button = QPushButton(label)
-        button.clicked.connect(handler)
-        return button
-
     def _on_init(self) -> None:
         conn = self._conn_string.text().strip()
         account = self._account_url.text().strip()
diff --git a/automation_file/ui/tabs/base.py b/automation_file/ui/tabs/base.py
@@ -12,9 +12,11 @@
 from PySide6.QtCore import QThreadPool
 from PySide6.QtWidgets import (
     QFileDialog,
+    QGroupBox,
     QHBoxLayout,
     QLineEdit,
     QPushButton,
+    QVBoxLayout,
     QWidget,
 )
 
@@ -30,6 +32,13 @@ def __init__(self, log: LogPanel, pool: QThreadPool) -> None:
         self._log = log
         self._pool = pool
 
+    @staticmethod
+    def make_button(label: str, handler: Callable[[], Any]) -> QPushButton:
+        """Build a ``QPushButton`` wired to ``handler`` — the cloud tab idiom."""
+        button = QPushButton(label)
+        button.clicked.connect(handler)
+        return button
+
     def run_action(
         self,
         target: Callable[..., Any],
@@ -77,3 +86,26 @@ def pick_save_file(parent: QWidget) -> str | None:
     def pick_directory(parent: QWidget) -> str | None:
         path = QFileDialog.getExistingDirectory(parent, "Select directory")
         return path or None
+
+
+class RemoteBackendTab(BaseTab):
+    """Shared layout template for cloud/SFTP tabs.
+
+    Subclasses supply ``_init_group`` (credentials / session setup) and
+    ``_ops_group`` (file transfer actions). The base class stacks both
+    inside a ``QVBoxLayout`` with a trailing stretch so the groups pin
+    to the top of the tab.
+    """
+
+    def __init__(self, log: LogPanel, pool: QThreadPool) -> None:
+        super().__init__(log, pool)
+        root = QVBoxLayout(self)
+        root.addWidget(self._init_group())
+        root.addWidget(self._ops_group())
+        root.addStretch()
+
+    def _init_group(self) -> QGroupBox:
+        raise NotImplementedError
+
+    def _ops_group(self) -> QGroupBox:
+        raise NotImplementedError
diff --git a/automation_file/ui/tabs/dropbox_tab.py b/automation_file/ui/tabs/dropbox_tab.py
@@ -8,7 +8,6 @@
     QGroupBox,
     QLineEdit,
     QPushButton,
-    QVBoxLayout,
 )
 
 from automation_file.remote.dropbox_api.client import dropbox_instance
@@ -19,19 +18,12 @@
     dropbox_upload_dir,
     dropbox_upload_file,
 )
-from automation_file.ui.tabs.base import BaseTab
+from automation_file.ui.tabs.base import RemoteBackendTab
 
 
-class DropboxTab(BaseTab):
+class DropboxTab(RemoteBackendTab):
     """Form-driven Dropbox operations."""
 
-    def __init__(self, log, pool) -> None:
-        super().__init__(log, pool)
-        root = QVBoxLayout(self)
-        root.addWidget(self._init_group())
-        root.addWidget(self._ops_group())
-        root.addStretch()
-
     def _init_group(self) -> QGroupBox:
         box = QGroupBox("Client")
         form = QFormLayout(box)
@@ -53,19 +45,13 @@ def _ops_group(self) -> QGroupBox:
         form.addRow("Local path", self._local)
         form.addRow("Remote path", self._remote)
         form.addRow(self._recursive)
-        form.addRow(self._button("Upload file", self._on_upload_file))
-        form.addRow(self._button("Upload dir", self._on_upload_dir))
-        form.addRow(self._button("Download", self._on_download))
-        form.addRow(self._button("Delete path", self._on_delete))
-        form.addRow(self._button("List folder", self._on_list))
+        form.addRow(self.make_button("Upload file", self._on_upload_file))
+        form.addRow(self.make_button("Upload dir", self._on_upload_dir))
+        form.addRow(self.make_button("Download", self._on_download))
+        form.addRow(self.make_button("Delete path", self._on_delete))
+        form.addRow(self.make_button("List folder", self._on_list))
         return box
 
-    @staticmethod
-    def _button(label: str, handler) -> QPushButton:
-        button = QPushButton(label)
-        button.clicked.connect(handler)
-        return button
-
     def _on_init(self) -> None:
         token = self._token.text().strip()
         self.run_action(
diff --git a/automation_file/ui/tabs/s3_tab.py b/automation_file/ui/tabs/s3_tab.py
diff --git a/automation_file/ui/tabs/sftp_tab.py b/automation_file/ui/tabs/sftp_tab.py
