Skip to content

only access .name for upload component#5515

Merged
adhami3310 merged 1 commit into
mainfrom
khaleel/eng-6433-rxselected_files-should-return-file-names-instead-of-paths
Jul 3, 2025
Merged

only access .name for upload component#5515
adhami3310 merged 1 commit into
mainfrom
khaleel/eng-6433-rxselected_files-should-return-file-names-instead-of-paths

Conversation

@adhami3310
Copy link
Copy Markdown
Member

@adhami3310 adhami3310 commented Jul 1, 2025

also fixes #5490

@linear
Copy link
Copy Markdown

linear Bot commented Jul 1, 2025

ENG-6433 rx.selected_files should return file names instead of paths

@adhami3310 adhami3310 linked an issue Jul 1, 2025 that may be closed by this pull request
rx.selected_files should return file names instead of paths #5495
Closed
greptile-apps[bot]
greptile-apps Bot reviewed Jul 1, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Summary

Modified the upload component to improve security and type handling by returning only file names instead of full paths, and adding support for Var[str] type IDs.

  • Changed selected_files() in reflex/components/core/upload.py to return only file names (f.name) instead of paths for better security
  • Added support for Var[str] type ID parameters in upload component functions
  • Removed path fallback logic (f.path || f.name) to prevent potential exposure of sensitive file system information

2 files reviewed, no comments
Edit PR Review Bot Settings | Greptile

@codspeed-hq
Copy link
Copy Markdown

codspeed-hq Bot commented Jul 1, 2025

CodSpeed Performance Report

Merging #5515 will not alter performance

Comparing khaleel/eng-6433-rxselected_files-should-return-file-names-instead-of-paths (765fac1) with main (09ed66c)

Summary

✅ 8 untouched benchmarks

masenf
masenf reviewed Jul 2, 2025
View reviewed changes
Comment thread reflex/components/core/upload.py
id_var = LiteralStringVar.create(id_) if not isinstance(id_, Var) else id_
return Var(
_js_expr=f"(filesById[{id_var!s}] ? filesById[{id_var!s}].map((f) => (f.path || f.name)) : [])",
_js_expr=f"(filesById[{id_var!s}] ? filesById[{id_var!s}].map((f) => f.name) : [])",
Copy link
Copy Markdown
Collaborator

@masenf masenf Jul 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why don't we want the path? what if the user drops a big directory?

Copy link
Copy Markdown
Member Author

@adhami3310 adhami3310 Jul 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://developer.mozilla.org/en-US/docs/Web/API/File doesn't even document path

@adhami3310 adhami3310 merged commit 86d5b52 into main Jul 3, 2025
51 of 53 checks passed
@adhami3310 adhami3310 deleted the khaleel/eng-6433-rxselected_files-should-return-file-names-instead-of-paths branch July 3, 2025 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@masenf masenf masenf approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

rx.selected_files should return file names instead of paths select_files fails when passed a var[str]

2 participants

@adhami3310 @masenf