fix: scope-check paths in /move, update anthropic SDK to 0.89.0

2026-04-07 16:28:33 +02:00
parent 9f4985a444
commit c58817becc
2 changed files with 11 additions and 4 deletions
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,6 +4,6 @@ pillow==12.2.0
 opencv-python-headless==4.13.0.92
 imagehash==4.3.1
 python-dotenv==1.0.1
-anthropic==0.25.0
+anthropic==0.89.0
 pytest==8.1.1
 httpx==0.27.0
--- a/server.py
+++ b/server.py
@@ -78,14 +78,21 @@ def analyze(req: AnalyzeRequest):

@app.post("/move")
 def move_files(req: MoveRequest):
-    target_dir = os.path.join(req.folder, "_aussortiert")
+    folder_abs = os.path.abspath(req.folder)
+    if not os.path.isdir(folder_abs):
+        raise HTTPException(status_code=400, detail=f"Ordner nicht gefunden: {req.folder}")
+    target_dir = os.path.join(folder_abs, "_aussortiert")
    os.makedirs(target_dir, exist_ok=True)
    moved = []
    errors = []
    for path in req.paths:
+        path_abs = os.path.abspath(path)
+        if not path_abs.startswith(folder_abs + os.sep):
+            errors.append({"path": path, "error": "Pfad liegt außerhalb des analysierten Ordners"})
+            continue
        try:
-            dest = os.path.join(target_dir, os.path.basename(path))
-            shutil.move(path, dest)
+            dest = os.path.join(target_dir, os.path.basename(path_abs))
+            shutil.move(path_abs, dest)
            moved.append(path)
        except Exception as e:
            errors.append({"path": path, "error": str(e)})