From 16b5d9112bcd35361cfd9348caed0da68c718db4 Mon Sep 17 00:00:00 2001
From: Luke Mino-Altherr <luke@comfy.org>
Date: Wed, 4 Feb 2026 15:24:51 -0800
Subject: [PATCH] Fix path traversal validation to return 400 instead of 500

Catch ValueError from resolve_destination_from_tags in the upload
endpoint so that invalid path components like '..' return a 400
BAD_REQUEST error instead of falling through to the 500 handler.

Amp-Thread-ID: https://ampcode.com/threads/T-019c2af2-7c87-7263-88b0-9feca1c31b3c
Co-authored-by: Amp <amp@ampcode.com>
---
 app/assets/api/routes.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/assets/api/routes.py b/app/assets/api/routes.py
index 23fbe822a..688b9f2db 100644
--- a/app/assets/api/routes.py
+++ b/app/assets/api/routes.py
@@ -386,6 +386,9 @@ async def upload_asset(request: web.Request) -> web.Response:
     except AssetValidationError as e:
         _delete_temp_file_if_exists(parsed.tmp_path)
         return _build_error_response(400, e.code, str(e))
+    except ValueError as e:
+        _delete_temp_file_if_exists(parsed.tmp_path)
+        return _build_error_response(400, "BAD_REQUEST", str(e))
     except HashMismatchError as e:
         _delete_temp_file_if_exists(parsed.tmp_path)
         return _build_error_response(400, "HASH_MISMATCH", str(e))