Dark Mode

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

fix: normalize paths in file router to prevent HTTPException with dotdot paths#8425

Merged
mscolnick merged 1 commit intomarimo-team:mainfrom
bxff:fix/normalize-file-router-paths
Feb 23, 2026
Merged

fix: normalize paths in file router to prevent HTTPException with dotdot paths#8425
mscolnick merged 1 commit intomarimo-team:mainfrom
bxff:fix/normalize-file-router-paths

Conversation

Copy link
Contributor

bxff commented Feb 22, 2026

Summary

Fixes a bug where create_asgi_app() fails with HTTPException when file paths contain .. components.

Problem: When using os.path.join(os.path.dirname(__file__), "..", "..", "ui") (as the FastAPI example does), _allowed_paths stored the un-normalized absolute path (preserving ..), while resolve_file_path() normalized it via os.path.normpath(). This mismatch caused HTTPException('File not found') during SessionManager initialization.

Fix: Normalize paths consistently using normalize_path() when building _allowed_paths in ListOfFilesAppFileRouter.__init__ and in register_allowed_file().

Fixes #8414

Test Plan

  • Added regression test test_list_of_files_resolves_dotdot_in_path that creates a file router with a .. path and verifies resolve_file_path() succeeds
  • All 50 existing tests in test_file_router.py pass

...dot paths

When file paths contain '..' components (e.g., from os.path.join with
'..'), _allowed_paths stored the un-normalized absolute path while
resolve_file_path() normalized it via os.path.normpath(). This mismatch
caused HTTPException('File not found') during SessionManager
initialization for the create_asgi_app() / FastAPI integration.

Normalize paths consistently using normalize_path() when building
_allowed_paths and in register_allowed_file().

Fixes marimo-team#8414
Copy link

vercel bot commented Feb 22, 2026 *
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
marimo-docs Ready Preview, Comment Feb 22, 2026 9:26pm

Copy link

github-actions bot commented Feb 22, 2026


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

vercel bot deployed to Preview February 22, 2026 21:26 View deployment
Copy link
Contributor Author

bxff commented Feb 22, 2026

I have read the CLA Document and I hereby sign the CLA

mscolnick approved these changes Feb 22, 2026
mscolnick added the bug Something isn't working label Feb 22, 2026
Copy link

abhenderson commented Feb 23, 2026

Thank you for looking at this issue and doing a PR, much appreciated.
bxff reacted with heart emoji

mscolnick merged commit 31dfd43 into marimo-team:main Feb 23, 2026
39 of 41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

mscolnick mscolnick approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Error running programmatic start of Marimo using FastAPI (FastAPI Example App and own Code)

4 participants