fix(gateway): add canonical cache paths to MEDIA_DELIVERY_SAFE_ROOTS#33238
Open
kaishi00 wants to merge 1 commit into
Open
fix(gateway): add canonical cache paths to MEDIA_DELIVERY_SAFE_ROOTS#33238kaishi00 wants to merge 1 commit into
kaishi00 wants to merge 1 commit into
Conversation
image_gen_provider writes to cache/images/ but get_hermes_dir() resolves to the legacy image_cache/ when it exists on disk, leaving the canonical path uncovered by MEDIA_DELIVERY_SAFE_ROOTS. Add explicit entries for all canonical cache subdirectories (cache/images, cache/audio, cache/videos, cache/documents, cache/screenshots) alongside the existing legacy and get_hermes_dir() entries. Regression tests verify the default MEDIA_DELIVERY_SAFE_ROOTS accepts files under canonical paths even when legacy directories coexist. Fixes NousResearch#31733 Addresses reviewer feedback from closed PR NousResearch#31764
Collaborator
This was referenced May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #31733 — generated images under
cache/images/are not delivered via TelegramMEDIA:because the gateway'sMEDIA_DELIVERY_SAFE_ROOTSonly allowlists the legacyimage_cache/path.Root Cause
image_gen_provider.pywrites to the canonicalcache/images/directory, butget_hermes_dir("cache/images", "image_cache")resolves to the legacyimage_cache/when it already exists on disk. SinceMEDIA_DELIVERY_SAFE_ROOTSonly included theget_hermes_dir()result and explicit legacy entries, the canonical path was left uncovered on migrated installs.Fix
Add explicit canonical cache path entries to
MEDIA_DELIVERY_SAFE_ROOTSalongside the existingget_hermes_dir()and legacy entries:_HERMES_HOME / "cache" / "images"_HERMES_HOME / "cache" / "audio"_HERMES_HOME / "cache" / "videos"_HERMES_HOME / "cache" / "documents"_HERMES_HOME / "cache" / "screenshots"Reviewer Feedback from Closed PR #31764
This PR addresses the concerns raised by @GodsBoy on the previous attempt:
TestCanonicalCachePathRegressionthat do NOT monkeypatchMEDIA_DELIVERY_SAFE_ROOTS. They exercise the actual default production list:validate_media_delivery_path()accepts themmain(825948e)Files Changed
gateway/platforms/base.pyMEDIA_DELIVERY_SAFE_ROOTStests/gateway/test_platform_base.pyTestCanonicalCachePathRegression(7 tests)Test Results