Skip to content

Fix FileNotFoundError handling in rename_file methods #1548

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Fix FileNotFoundError handling in rename_file methods #1548

wants to merge 6 commits into from

Conversation

aws-jasakshi
Copy link

Fix FileNotFoundError handling in rename_file methods

Summary

This PR fixes a security issue where the JupyterLab API returns HTTP 500 Internal Server Errors when attempting to rename non-existent files or directories. The fix ensures that proper HTTP 404 errors are returned instead, preventing information disclosure through verbose error messages.

Problem

  • Issue: When a PATCH request is made to /jupyterlab/default/api/contents/ with a non-existent file path, the API returns HTTP 500 with verbose error messages including stack traces
  • Security Impact: Exposes internal implementation details and file system information
  • Expected Behavior: Should return HTTP 404 with appropriate error message

Solution

  • Added FileNotFoundError exception handling to both synchronous and asynchronous rename_file methods in FileContentsManager
  • Returns HTTP 404 error with message "File or directory does not exist: {path}" instead of generic HTTP 500
  • Maintains existing error handling for other exceptions

Changes Made

  1. Modified jupyter_server/services/contents/filemanager.py:

    • Added FileNotFoundError exception handling in rename_file method (line ~605)
    • Added FileNotFoundError exception handling in async rename_file method (line ~1073)
    • Both methods now return HTTP 404 with descriptive error message

  2. Added test coverage:

    • New test test_rename_nonexistent in tests/services/contents/test_manager.py
    • Tests both file and directory rename scenarios
    • Validates proper HTTP 404 response and error message format

Testing

  • ✅ Manual testing confirms HTTP 404 is returned for non-existent files
  • ✅ Existing rename functionality for valid files remains unchanged
  • ✅ New unit tests pass
  • ✅ All existing tests continue to pass

Security Considerations

  • Fixes information disclosure vulnerability
  • Error messages are now generic and don't expose internal file paths beyond the user-provided path
  • Maintains proper error handling hierarchy (HTTPError → FileNotFoundError → Exception)

Related Issues

  • Addresses security finding from penetration testing
  • Improves API error handling consistency
  • Follows HTTP status code best practices

Checklist

  • Code follows project style guidelines
  • Self-review of code completed
  • Tests added for new functionality
  • All tests pass
  • Documentation updated (if applicable)
  • Security implications considered

Breaking Changes

None. This change only affects error responses for invalid operations and maintains backward compatibility for all valid operations.

Additional Notes

This fix addresses a security vulnerability where verbose error messages could expose internal system information. The change is minimal and focused, affecting only the error handling path for non-existent files during rename operations.

@aws-jasakshi
Fix FileNotFoundError handling in rename_file methods
f2e0519 
- Add FileNotFoundError exception handling to both sync and async rename_file methods
- Return HTTP 404 error instead of generic 500 error when file/directory doesn't exist
- Improves error specificity for file rename operations
@aws-jasakshi
Add test case for renaming non-existent files
40f2855 
- Test that renaming non-existent files returns 404 instead of 500
- Covers both file and directory rename scenarios
- Validates proper error message format
@aws-jasakshi
Simplify test assertions for CI compatibility
c2a2533
@aws-jasakshi aws-jasakshi force-pushed the fix-rename-file-404-error branch from 7247bb0 to c2a2533 Compare August 8, 2025 21:56
@aws-jasakshi aws-jasakshi force-pushed the fix-rename-file-404-error branch from cc82c64 to 76b898d Compare August 8, 2025 22:19
@aws-jasakshi aws-jasakshi force-pushed the fix-rename-file-404-error branch from 9a3d547 to 96b8eb5 Compare August 8, 2025 22:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@aws-jasakshi