revert: Remove v1 resource router security changes

jope-bm · jope-bm · commit 010b0c4a6128 · 2025-11-21T12:10:31.000-07:00
V1 API should remain unchanged in this phase. Only V2 API receives functional improvements and security enhancements. This reverts commit bf05a05.
diff --git a/src/basic_memory/api/routers/resource_router.py b/src/basic_memory/api/routers/resource_router.py
@@ -20,7 +20,6 @@
 from basic_memory.schemas.memory import normalize_memory_url
 from basic_memory.schemas.search import SearchQuery, SearchItemType
 from basic_memory.models.knowledge import Entity as EntityModel
-from basic_memory.utils import validate_project_path
 from datetime import datetime
 
 router = APIRouter(prefix="/resource", tags=["resources"])
@@ -55,9 +54,6 @@ async def get_resource_content(
     """Get resource content by identifier: name or permalink."""
     logger.debug(f"Getting content for: {identifier}")
 
-    # Get project path for validation
-    project_path = Path(config.home)
-
     # Find single entity by permalink
     entity = await link_resolver.resolve_link(identifier)
     results = [entity] if entity else []
@@ -85,17 +81,6 @@ async def get_resource_content(
     # return single response
     if len(results) == 1:
         entity = results[0]
-
-        # Validate entity file path to prevent path traversal
-        if not validate_project_path(entity.file_path, project_path):
-            logger.error(
-                f"Invalid file path in entity {entity.id}: {entity.file_path}"
-            )
-            raise HTTPException(
-                status_code=500,
-                detail="Entity contains invalid file path",
-            )
-
         file_path = Path(f"{config.home}/{entity.file_path}")
         if not file_path.exists():
             raise HTTPException(
@@ -109,13 +94,6 @@ async def get_resource_content(
         temp_file_path = tmp_file.name
 
         for result in results:
-            # Validate entity file path to prevent path traversal
-            if not validate_project_path(result.file_path, project_path):
-                logger.error(
-                    f"Invalid file path in entity {result.id}: {result.file_path}"
-                )
-                continue  # Skip this entity and continue with others
-
             # Read content for each entity
             content = await file_service.read_entity_content(result)
             memory_url = normalize_memory_url(result.permalink)
@@ -193,18 +171,6 @@ async def write_resource(
         else:
             content_str = str(content)
 
-        # Validate path to prevent path traversal attacks
-        project_path = Path(config.home)
-        if not validate_project_path(file_path, project_path):
-            logger.warning(
-                f"Invalid file path attempted: {file_path} in project {config.name}"
-            )
-            raise HTTPException(
-                status_code=400,
-                detail=f"Invalid file path: {file_path}. "
-                "Path must be relative and stay within project boundaries.",
-            )
-
         # Get full file path
         full_path = Path(f"{config.home}/{file_path}")
 
@@ -268,9 +234,6 @@ async def write_resource(
                 "modified_at": file_stats.st_mtime,
             },
         )
-    except HTTPException:
-        # Re-raise HTTP exceptions (like validation errors) without wrapping
-        raise
     except Exception as e:  # pragma: no cover
         logger.error(f"Error writing resource {file_path}: {e}")
         raise HTTPException(status_code=500, detail=f"Failed to write resource: {str(e)}")
