Skip to content

fix: normalize paths in file router to prevent HTTPException with dotdot paths#8425

Merged
mscolnick merged 1 commit intomarimo-team:mainfrom
bxff:fix/normalize-file-router-paths
Feb 23, 2026
Merged

fix: normalize paths in file router to prevent HTTPException with dotdot paths#8425
mscolnick merged 1 commit intomarimo-team:mainfrom
bxff:fix/normalize-file-router-paths

Conversation

@bxff
Copy link
Contributor

@bxff bxff commented Feb 22, 2026

Summary

Fixes a bug where create_asgi_app() fails with HTTPException when file paths contain .. components.

Problem: When using os.path.join(os.path.dirname(__file__), "..", "..", "ui") (as the FastAPI example does), _allowed_paths stored the un-normalized absolute path (preserving ..), while resolve_file_path() normalized it via os.path.normpath(). This mismatch caused HTTPException('File not found') during SessionManager initialization.

Fix: Normalize paths consistently using normalize_path() when building _allowed_paths in ListOfFilesAppFileRouter.__init__ and in register_allowed_file().

Fixes #8414

Test Plan

  • Added regression test test_list_of_files_resolves_dotdot_in_path that creates a file router with a .. path and verifies resolve_file_path() succeeds
  • All 50 existing tests in test_file_router.py pass

@24f2006299
fix: normalize paths in file router to prevent HTTPException with dot…
a942021 
…dot paths

When file paths contain '..' components (e.g., from os.path.join with
'..'), _allowed_paths stored the un-normalized absolute path while
resolve_file_path() normalized it via os.path.normpath(). This mismatch
caused HTTPException('File not found') during SessionManager
initialization for the create_asgi_app() / FastAPI integration.

Normalize paths consistently using normalize_path() when building
_allowed_paths and in register_allowed_file().

Fixes marimo-team#8414
@vercel
Copy link

vercel bot commented Feb 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
marimo-docs Ready Ready Preview, Comment Feb 22, 2026 9:26pm

Request Review

@github-actions
Copy link

github-actions bot commented Feb 22, 2026


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@bxff
Copy link
Contributor Author

bxff commented Feb 22, 2026

I have read the CLA Document and I hereby sign the CLA

@mscolnick mscolnick added the bug Something isn't working label Feb 22, 2026
@abhenderson
Copy link

abhenderson commented Feb 23, 2026

Thank you for looking at this issue and doing a PR, much appreciated.

@mscolnick mscolnick merged commit 31dfd43 into marimo-team:main Feb 23, 2026
39 of 41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mscolnick mscolnick mscolnick approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Error running programmatic start of Marimo using FastAPI (FastAPI Example App and own Code)

4 participants

@bxff @abhenderson @mscolnick @24f2006299