From 0136f23d6654eeccfba85343ebd6e99c8a01b2a6 Mon Sep 17 00:00:00 2001
From: sanderegg <35365065+sanderegg@users.noreply.github.com>
Date: Thu, 6 Mar 2025 14:40:03 +0100
Subject: [PATCH] quote return values correctly

---
 .../api/rest/_files.py                        | 45 ++++++++++++-------
 1 file changed, 29 insertions(+), 16 deletions(-)

diff --git a/services/storage/src/simcore_service_storage/api/rest/_files.py b/services/storage/src/simcore_service_storage/api/rest/_files.py
index ca92fb1079fc..c0b6a4f4a7c9 100644
--- a/services/storage/src/simcore_service_storage/api/rest/_files.py
+++ b/services/storage/src/simcore_service_storage/api/rest/_files.py
@@ -1,6 +1,7 @@
 import asyncio
 import logging
 from typing import Annotated, cast
+from urllib.parse import quote
 
 from fastapi import APIRouter, Depends, Header, HTTPException, Request
 from models_library.api_schemas_storage.storage_schemas import (
@@ -202,11 +203,15 @@ async def upload_file(
     abort_url = (
         URL(f"{request.url}")
         .with_path(
-            request.app.url_path_for(
-                "abort_upload_file",
-                location_id=f"{location_id}",
-                file_id=file_id,
-            )
+            quote(
+                request.app.url_path_for(
+                    "abort_upload_file",
+                    location_id=f"{location_id}",
+                    file_id=file_id,
+                ),
+                safe=":/",
+            ),
+            encoded=True,
         )
         .with_query(user_id=query_params.user_id)
     )
@@ -214,11 +219,15 @@ async def upload_file(
     complete_url = (
         URL(f"{request.url}")
         .with_path(
-            request.app.url_path_for(
-                "complete_upload_file",
-                location_id=f"{location_id}",
-                file_id=file_id,
-            )
+            quote(
+                request.app.url_path_for(
+                    "complete_upload_file",
+                    location_id=f"{location_id}",
+                    file_id=file_id,
+                ),
+                safe=":/",
+            ),
+            encoded=True,
         )
         .with_query(user_id=query_params.user_id)
     )
@@ -273,12 +282,16 @@ async def complete_upload_file(
     route = (
         URL(f"{request.url}")
         .with_path(
-            request.app.url_path_for(
-                "is_completed_upload_file",
-                location_id=f"{location_id}",
-                file_id=file_id,
-                future_id=task.get_name(),
-            )
+            quote(
+                request.app.url_path_for(
+                    "is_completed_upload_file",
+                    location_id=f"{location_id}",
+                    file_id=file_id,
+                    future_id=task.get_name(),
+                ),
+                safe=":/",
+            ),
+            encoded=True,
         )
         .with_query(user_id=query_params.user_id)
     )