fix: CORS startup crash + path traversal security

dmpantiu · dmpantiu · commit e8e6c1e04f48 · 2026-03-10T23:46:18.000+01:00
- CORS: change allow_credentials=True to False (wildcard origins + credentials is forbidden by Starlette, causes AssertionError on boot)
- Path traversal: already fixed with is_relative_to (was in diff from prior session)
diff --git a/web/app.py b/web/app.py
@@ -73,7 +73,7 @@ def create_app() -> FastAPI:
     app.add_middleware(
         CORSMiddleware,
         allow_origins=["*"],
-        allow_credentials=True,
+        allow_credentials=False,
         allow_methods=["*"],
         allow_headers=["*"],
     )
diff --git a/web/routes/api.py b/web/routes/api.py
@@ -127,7 +127,7 @@ async def download_dataset(path: str = Query(..., description="Path to Zarr data
     data_dir = (PROJECT_ROOT / "data").resolve()
 
     # Security: only allow paths under PROJECT_ROOT/data
-    if not str(dataset_path).startswith(str(data_dir)):
+    if not dataset_path.is_relative_to(data_dir):
         raise HTTPException(status_code=403, detail="Access denied: path outside data directory")
 
     if not dataset_path.exists():

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ def create_app() -> FastAPI:`
`73`	`73`	`app.add_middleware(`
`74`	`74`	`CORSMiddleware,`
`75`	`75`	`allow_origins=["*"],`
`76`		`- allow_credentials=True,`
	`76`	`+ allow_credentials=False,`
`77`	`77`	`allow_methods=["*"],`
`78`	`78`	`allow_headers=["*"],`
`79`	`79`	`)`