dify/api/agent-notes/controllers/files/app_assets_download.py.md at deploy/agent-dev - dify - Gitea: Git with a cup of tea

jprdonnelly/dify

mirror of https://github.com/langgenius/dify.git synced 2026-02-13 07:01:23 -05:00

Files

Harry c035133353 refactor(asset-storage): fix security problems

2026-01-25 03:44:36 +08:00

454 B

Raw Permalink Blame History

Summary:

App assets download proxy endpoint (signed URL verification, stream from storage).

Invariants:

Validates AssetPath fields (UUIDs, asset_type allowlist).
Verifies tenant-scoped signature and expiration before reading storage.
URL uses expires_at/nonce/sign query params.

Edge Cases:

Missing files return NotFound.
Invalid signature or expired link returns Forbidden.

Tests:

Verify signature validation and invalid/expired cases.