Fix path_in_repo validation when committing files (#1382)

* Fix invalid path_in_repo in CommitOperationAdd

* raise if absolute path_in_repo in CommitOperationAdd

* Validate path_in_repo for CommitOperationDelete as well

Author: Wauplin

src/huggingface_hub/_commit_api.py

@@ -56,6 +56,8 @@ class CommitOperationDelete:
     is_folder: Union[bool, Literal["auto"]] = "auto"
 
     def __post_init__(self):
+        self.path_in_repo = _validate_path_in_repo(self.path_in_repo)
+
         if self.is_folder == "auto":
             self.is_folder = self.path_in_repo.endswith("/")
         if not isinstance(self.is_folder, bool):
@@ -95,6 +97,8 @@ class CommitOperationAdd:
 
     def __post_init__(self) -> None:
         """Validates `path_or_fileobj` and compute `upload_info`."""
+        self.path_in_repo = _validate_path_in_repo(self.path_in_repo)
+
         # Validate `path_or_fileobj` value
         if isinstance(self.path_or_fileobj, Path):
             self.path_or_fileobj = str(self.path_or_fileobj)
@@ -194,6 +198,17 @@ def b64content(self) -> bytes:
             return base64.b64encode(file.read())
 
 
+def _validate_path_in_repo(path_in_repo: str) -> str:
+    # Validate `path_in_repo` value to prevent a server-side issue
+    if path_in_repo.startswith("/"):
+        path_in_repo = path_in_repo[1:]
+    if path_in_repo == "." or path_in_repo == ".." or path_in_repo.startswith("../"):
+        raise ValueError(f"Invalid `path_in_repo` in CommitOperation: '{path_in_repo}'")
+    if path_in_repo.startswith("./"):
+        path_in_repo = path_in_repo[2:]
+    return path_in_repo
+
+
 CommitOperation = Union[CommitOperationAdd, CommitOperationDelete]
 
 

tests/test_commit_api.py

@@ -32,6 +32,30 @@ def test_is_folder_wrong_value(self):
             CommitOperationDelete(path_in_repo="path/to/folder", is_folder="any value")
 
 
+class TestCommitOperationPathInRepo(unittest.TestCase):
+    valid_values = {  # key is input, value is expected validated output
+        "file.txt": "file.txt",
+        ".file.txt": ".file.txt",
+        "/file.txt": "file.txt",
+        "./file.txt": "file.txt",
+    }
+    invalid_values = [".", "..", "../file.txt"]
+
+    def test_path_in_repo_valid(self) -> None:
+        for input, expected in self.valid_values.items():
+            with self.subTest(f"Testing with valid input: '{input}'"):
+                self.assertEqual(CommitOperationAdd(path_in_repo=input, path_or_fileobj=b"").path_in_repo, expected)
+                self.assertEqual(CommitOperationDelete(path_in_repo=input).path_in_repo, expected)
+
+    def test_path_in_repo_invalid(self) -> None:
+        for input in self.invalid_values:
+            with self.subTest(f"Testing with invalid input: '{input}'"):
+                with self.assertRaises(ValueError):
+                    CommitOperationAdd(path_in_repo=input, path_or_fileobj=b"")
+                with self.assertRaises(ValueError):
+                    CommitOperationDelete(path_in_repo=input)
+
+
 class TestWarnOnOverwritingOperations(unittest.TestCase):
     add_file_ab = CommitOperationAdd(path_in_repo="a/b.txt", path_or_fileobj=b"data")
     add_file_abc = CommitOperationAdd(path_in_repo="a/b/c.md", path_or_fileobj=b"data")

tests/test_hf_api.py

@@ -1980,6 +1980,17 @@ def test_allow_txt_not_root_ignore_subdir(self):
             {"sub/file.txt"},  # only .txt files, not in subdir, not at root
         )
 
+    def test_path_in_repo_dot(self):
+        """Regression test for #1382 when using `path_in_repo="."`.
+
+        Using `path_in_repo="."` or `path_in_repo=None` should be equivalent.
+        See https://github.com/huggingface/huggingface_hub/pull/1382.
+        """
+        operation_with_dot = self._upload_folder_alias(path_in_repo=".", allow_patterns=["file.txt"])[0]
+        operation_with_none = self._upload_folder_alias(path_in_repo=None, allow_patterns=["file.txt"])[0]
+        self.assertEqual(operation_with_dot.path_in_repo, "file.txt")
+        self.assertEqual(operation_with_none.path_in_repo, "file.txt")
+
     def test_delete_txt(self):
         operations = self._upload_folder_alias(delete_patterns="*.txt")
         added_files = {op.path_in_repo for op in operations if isinstance(op, CommitOperationAdd)}