Merge pull request #1096 from roboflow/fix/code-scanning/98

Address code-scanning/98

Author: grzegorz-roboflow

inference/core/interfaces/http/builder/routes.py

@@ -2,7 +2,9 @@
 import logging
 import os
 import re
+from hashlib import sha256
 from pathlib import Path
+from typing import Any, Dict
 
 from fastapi import APIRouter, Body, Depends, Header, HTTPException, status
 from starlette.responses import HTMLResponse, JSONResponse, RedirectResponse, Response
@@ -112,12 +114,12 @@ async def get_all_workflows():
         stat_info = json_file.stat()
         try:
             with json_file.open("r", encoding="utf-8") as f:
-                config_contents = json.load(f)
+                config_contents: Dict[str, Any] = json.load(f)
         except json.JSONDecodeError as e:
             logger.error(f"Error decoding JSON from {json_file}: {e}")
             continue
 
-        data[json_file.stem] = {
+        data[config_contents.get("id", json_file.stem)] = {
             "createTime": int(stat_info.st_ctime),
             "updateTime": int(stat_info.st_mtime),
             "config": config_contents,
@@ -139,7 +141,8 @@ async def get_workflow(workflow_id: str):
     if not re.match(r"^[\w\-]+$", workflow_id):
         return JSONResponse({"error": "invalid id"}, status_code=HTTP_400_BAD_REQUEST)
 
-    file_path = workflow_local_dir / f"{workflow_id}.json"
+    workflow_hash = sha256(workflow_id.encode()).hexdigest()
+    file_path = workflow_local_dir / f"{workflow_hash}.json"
     if not file_path.exists():
         return JSONResponse({"error": "not found"}, status_code=HTTP_404_NOT_FOUND)
 
@@ -148,7 +151,7 @@ async def get_workflow(workflow_id: str):
         with file_path.open("r", encoding="utf-8") as f:
             config_contents = json.load(f)
     except json.JSONDecodeError as e:
-        logger.error(f"Error reading JSON from {file_path}: {e}")
+        logger.error(f"Error reading JSON for {workflow_id} from '{file_path}': {e}")
         return JSONResponse({"error": "invalid JSON"}, status_code=500)
 
     return Response(
@@ -179,32 +182,34 @@ async def create_or_overwrite_workflow(
     if not re.match(r"^[\w\-]+$", workflow_id):
         return JSONResponse({"error": "invalid id"}, status_code=HTTP_400_BAD_REQUEST)
 
-    file_path = workflow_local_dir / f"{workflow_id}.json"
     workflow_local_dir.mkdir(parents=True, exist_ok=True)
 
     # If the body claims a different ID, treat that as a "rename".
     if request_body.get("id") and request_body.get("id") != workflow_id:
-        old_id = request_body["id"]
+        old_id: str = request_body["id"]
         if not re.match(r"^[\w\-]+$", old_id):
             return JSONResponse(
                 {"error": "invalid id"}, status_code=HTTP_400_BAD_REQUEST
             )
 
-        old_file_path = workflow_local_dir / f"{old_id}.json"
+        old_workflow_hash = sha256(old_id.encode()).hexdigest()
+        old_file_path = workflow_local_dir / f"{old_workflow_hash}.json"
         if old_file_path.exists():
             try:
                 old_file_path.unlink()
             except Exception as e:
-                logger.error(f"Error deleting {old_file_path}: {e}")
+                logger.error(f"Error deleting {old_id} from {old_file_path}: {e}")
                 return JSONResponse({"error": "unable to delete file"}, status_code=500)
 
-        request_body["id"] = workflow_id
+    request_body["id"] = workflow_id
 
+    workflow_hash = sha256(workflow_id.encode()).hexdigest()
+    file_path = workflow_local_dir / f"{workflow_hash}.json"
     try:
         with file_path.open("w", encoding="utf-8") as f:
             json.dump(request_body, f, indent=2)
     except Exception as e:
-        logger.error(f"Error writing JSON to {file_path}: {e}")
+        logger.error(f"Error writing JSON for {workflow_id} to {file_path}: {e}")
         return JSONResponse({"error": "unable to write file"}, status_code=500)
 
     return JSONResponse(
@@ -223,14 +228,15 @@ async def delete_workflow(workflow_id: str):
     if not re.match(r"^[\w\-]+$", workflow_id):
         return JSONResponse({"error": "invalid id"}, status_code=HTTP_400_BAD_REQUEST)
 
-    file_path = workflow_local_dir / f"{workflow_id}.json"
+    workflow_hash = sha256(workflow_id.encode()).hexdigest()
+    file_path = workflow_local_dir / f"{workflow_hash}.json"
     if not file_path.exists():
         return JSONResponse({"error": "not found"}, status_code=HTTP_404_NOT_FOUND)
 
     try:
         file_path.unlink()
     except Exception as e:
-        logger.error(f"Error deleting {file_path}: {e}")
+        logger.error(f"Error deleting {workflow_id} from {file_path}: {e}")
         return JSONResponse({"error": "unable to delete file"}, status_code=500)
 
     return JSONResponse(
@@ -253,7 +259,8 @@ async def builder_maybe_redirect(workflow_id: str):
     if not re.match(r"^[\w\-]+$", workflow_id):
         return RedirectResponse(url="/build", status_code=302)
 
-    file_path = workflow_local_dir / f"{workflow_id}.json"
+    workflow_hash = sha256(workflow_id.encode()).hexdigest()
+    file_path = workflow_local_dir / f"{workflow_hash}.json"
     if file_path.exists():
         return RedirectResponse(url=f"/build/edit/{workflow_id}", status_code=302)
     else:

tests/inference/hosted_platform_tests/conftest.py

@@ -63,9 +63,10 @@ class PlatformEnvironment(Enum):
         "classification": "https://lambda-classification.staging.roboflow.com",
         "core-models": "https://3hkaykeh3j.execute-api.us-east-1.amazonaws.com",
     },
-
 }
-SERVICES_URLS[PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST] = SERVICES_URLS[PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST]
+SERVICES_URLS[PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST] = SERVICES_URLS[
+    PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST
+]
 
 MODELS_TO_BE_USED = {
     PlatformEnvironment.ROBOFLOW_PLATFORM: {
@@ -85,15 +86,23 @@ class PlatformEnvironment(Enum):
         "yolov8n-pose-640": "microsoft-coco-pose/1",
     },
 }
-MODELS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST] = MODELS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_STAGING]
-MODELS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST] = MODELS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_PLATFORM]
+MODELS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST] = MODELS_TO_BE_USED[
+    PlatformEnvironment.ROBOFLOW_STAGING
+]
+MODELS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST] = MODELS_TO_BE_USED[
+    PlatformEnvironment.ROBOFLOW_PLATFORM
+]
 
 TARGET_PROJECTS_TO_BE_USED = {
     PlatformEnvironment.ROBOFLOW_PLATFORM: "active-learning-demo",
     PlatformEnvironment.ROBOFLOW_STAGING: "coin-counting",
 }
-TARGET_PROJECTS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST] = TARGET_PROJECTS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_STAGING]
-TARGET_PROJECTS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST] = TARGET_PROJECTS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_PLATFORM]
+TARGET_PROJECTS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST] = (
+    TARGET_PROJECTS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_STAGING]
+)
+TARGET_PROJECTS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST] = (
+    TARGET_PROJECTS_TO_BE_USED[PlatformEnvironment.ROBOFLOW_PLATFORM]
+)
 
 INTERFACE_DISCOVERING_WORKFLOW = {
     PlatformEnvironment.ROBOFLOW_STAGING: ("paul-guerrie", "staging-test-workflow"),
@@ -102,8 +111,12 @@ class PlatformEnvironment(Enum):
         "prod-test-workflow",
     ),
 }
-INTERFACE_DISCOVERING_WORKFLOW[PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST] = INTERFACE_DISCOVERING_WORKFLOW[PlatformEnvironment.ROBOFLOW_STAGING]
-INTERFACE_DISCOVERING_WORKFLOW[PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST] = INTERFACE_DISCOVERING_WORKFLOW[PlatformEnvironment.ROBOFLOW_PLATFORM]
+INTERFACE_DISCOVERING_WORKFLOW[PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST] = (
+    INTERFACE_DISCOVERING_WORKFLOW[PlatformEnvironment.ROBOFLOW_STAGING]
+)
+INTERFACE_DISCOVERING_WORKFLOW[PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST] = (
+    INTERFACE_DISCOVERING_WORKFLOW[PlatformEnvironment.ROBOFLOW_PLATFORM]
+)
 
 ROBOFLOW_API_KEY = os.environ["HOSTED_PLATFORM_TESTS_API_KEY"]
 OPENAI_KEY = os.getenv("OPENAI_KEY")

tests/inference/hosted_platform_tests/workflows_examples/roboflow_models/v1/test_workflow_for_classification.py

@@ -124,8 +124,16 @@ def test_multi_class_classification_workflow(
     ],
     PlatformEnvironment.ROBOFLOW_PLATFORM: [{"dog"}, set()],
 }
-MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST] = MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_STAGING]
-MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST] = MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_PLATFORM]
+MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST
+] = MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_STAGING
+]
+MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST
+] = MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_PLATFORM
+]
 
 
 @pytest.mark.flaky(retries=4, delay=1)

tests/inference/hosted_platform_tests/workflows_examples/roboflow_models/v2/test_workflow_for_classification.py

@@ -40,8 +40,17 @@
     PlatformEnvironment.ROBOFLOW_STAGING: [0.3667, 0.5917],
     PlatformEnvironment.ROBOFLOW_PLATFORM: [0.8252, 0.9962],
 }
-MULTI_CLASS_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST] = MULTI_CLASS_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_STAGING]
-MULTI_CLASS_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST] = MULTI_CLASS_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_PLATFORM]
+MULTI_CLASS_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST
+] = MULTI_CLASS_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_STAGING
+]
+MULTI_CLASS_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST
+] = MULTI_CLASS_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_PLATFORM
+]
+
 
 @pytest.mark.flaky(retries=4, delay=1)
 def test_multi_class_classification_workflow(
@@ -125,8 +134,16 @@ def test_multi_class_classification_workflow(
     ],
     PlatformEnvironment.ROBOFLOW_PLATFORM: [{"dog"}, set()],
 }
-MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST] = MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_STAGING]
-MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST] = MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[PlatformEnvironment.ROBOFLOW_PLATFORM]
+MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_STAGING_LOCALHOST
+] = MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_STAGING
+]
+MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_PLATFORM_LOCALHOST
+] = MULTI_LABEL_CLASSIFICATION_RESULTS_FOR_ENVIRONMENT[
+    PlatformEnvironment.ROBOFLOW_PLATFORM
+]
 
 
 @pytest.mark.flaky(retries=4, delay=1)

tests/inference/unit_tests/core/interfaces/http/test_builder.py

@@ -39,6 +39,7 @@ def fake_read_text(self, encoding="utf-8"):
     app.include_router(routes.router, prefix="/build")
     return app
 
+
 def test_builder_html_injects_csrf(builder_app, builder_env_session):
     """
     Verify that the HTML response for GET /build has the CSRF token injected.
@@ -56,6 +57,7 @@ def test_builder_html_injects_csrf(builder_app, builder_env_session):
     token = token_match.group(1)
     assert len(token) == 32, "CSRF token should be 32 hex digits long"
 
+
 def test_builder_edit_injects_csrf(builder_app, builder_env_session):
     """
     Verify that GET /build/edit/{workflow_id} returns HTML with the CSRF token.
@@ -68,34 +70,41 @@ def test_builder_edit_injects_csrf(builder_app, builder_env_session):
     token = token_match.group(1)
     assert len(token) == 32, "CSRF token should be 32 hex digits long"
 
+
 def test_builder_redirect_trailing_slash(builder_app):
     """
     Verify that GET /build/ returns a redirect.
     """
     client = TestClient(builder_app)
     response = client.get("/build/", follow_redirects=False)
-    assert response.status_code == HTTP_302_FOUND, f"Expected 302, got {response.status_code}"
+    assert (
+        response.status_code == HTTP_302_FOUND
+    ), f"Expected 302, got {response.status_code}"
     assert response.headers["location"] == "/build"
 
+
 def test_api_get_all_workflows_unauthorized(builder_app):
     client = TestClient(builder_app)
     response = client.get("/build/api")
     assert response.status_code == HTTP_403_FORBIDDEN
 
+
 def test_api_get_workflow_invalid_id(builder_app):
     """
     Use an invalid workflow_id (with an illegal character) so that the route
     returns 400 instead of 404. (Using slashes would fail to match the route.)
     """
     client = TestClient(builder_app)
     from inference.core.interfaces.http.builder.routes import csrf
+
     invalid_id = "invalid$id"  # '$' is not allowed by the regex [\w\-]+
     response = client.get(
         f"/build/api/{invalid_id}",
         headers={"X-CSRF": csrf},
     )
     assert response.status_code == HTTP_400_BAD_REQUEST
 
+
 def test_api_create_and_read(builder_app):
     client = TestClient(builder_app)
     from inference.core.interfaces.http.builder.routes import csrf
@@ -114,20 +123,25 @@ def test_api_create_and_read(builder_app):
     data = get_resp.json()
     assert data["data"]["config"] == {"id": "test-wf", "stuff": 123}
 
+
 def test_fallback_redirect_invalid_id(builder_app):
     """
     With an invalid id containing slashes, the route will not match and yield a 404.
     """
     client = TestClient(builder_app)
     response = client.get("/build/../../etc/passwd", follow_redirects=False)
-    assert response.status_code == HTTP_404_NOT_FOUND, f"Expected 404, got {response.status_code}"
+    assert (
+        response.status_code == HTTP_404_NOT_FOUND
+    ), f"Expected 404, got {response.status_code}"
+
 
 def test_fallback_redirect_exists(builder_app):
     """
     Create a workflow via the JSON API and verify that GET /build/<id> redirects to /build/edit/<id>.
     """
     client = TestClient(builder_app)
     from inference.core.interfaces.http.builder.routes import csrf
+
     client.post(
         "/build/api/foobar",
         json={"id": "foobar"},
@@ -137,6 +151,7 @@ def test_fallback_redirect_exists(builder_app):
     assert response.status_code == HTTP_302_FOUND
     assert response.headers["location"] == "/build/edit/foobar"
 
+
 def test_fallback_redirect_not_exists(builder_app):
     """
     If the workflow file does not exist, GET /build/<id> should redirect to /build.

tests/inference/unit_tests/core/interfaces/http/test_cors.py

@@ -9,6 +9,7 @@
 def homepage(request):
     return PlainTextResponse("Hello, world!")
 
+
 def create_app(match_paths=None, allow_origins=None):
     """
     Utility to create a Starlette test app with our custom PathAwareCORSMiddleware.

tests/workflows/integration_tests/execution/test_workflow_with_camera_calibration.py

@@ -80,10 +80,10 @@ def test_workflow_with_camera_calibration(
     result = execution_engine.run(
         runtime_parameters={
             "images": [dogs_image],
-            "fx": 1.48052348e+03,
-            "fy": 1.62041507e+03,
-            "cx": 7.76228486e+02,
-            "cy": 5.09102914e+02,
+            "fx": 1.48052348e03,
+            "fy": 1.62041507e03,
+            "cx": 7.76228486e02,
+            "cy": 5.09102914e02,
             "k1": -0.67014685,
             "k2": 0.84140975,
             "k3": -0.40499778,

tests/workflows/integration_tests/execution/test_workflow_with_detections_merge.py

@@ -80,30 +80,32 @@ def test_detections_merge_workflow(
     assert isinstance(
         result[0]["result"], sv.Detections
     ), "Output must be instance of sv.Detections"
-    
+
     # Check that we have exactly one merged detection
     assert len(result[0]["result"]) == 1, "Should have exactly one merged detection"
-    
+
     # Check that the merged detection has all required fields
     assert "class_name" in result[0]["result"].data, "Should have class_name in data"
-    assert "detection_id" in result[0]["result"].data, "Should have detection_id in data"
-    
+    assert (
+        "detection_id" in result[0]["result"].data
+    ), "Should have detection_id in data"
+
     # Check that the bounding box has reasonable dimensions
     merged_bbox = result[0]["result"].xyxy[0]
     image_height, image_width = dogs_image.shape[:2]
-    
+
     # Check that coordinates are within image bounds
     assert 0 <= merged_bbox[0] <= image_width, "x1 should be within image bounds"
     assert 0 <= merged_bbox[1] <= image_height, "y1 should be within image bounds"
     assert 0 <= merged_bbox[2] <= image_width, "x2 should be within image bounds"
     assert 0 <= merged_bbox[3] <= image_height, "y2 should be within image bounds"
-    
+
     # Check that the box has reasonable dimensions
     assert merged_bbox[2] > merged_bbox[0], "x2 should be greater than x1"
     assert merged_bbox[3] > merged_bbox[1], "y2 should be greater than y1"
-    
+
     # Check that the box is large enough to likely contain the dogs
     box_width = merged_bbox[2] - merged_bbox[0]
     box_height = merged_bbox[3] - merged_bbox[1]
     assert box_width > 100, "Merged box should be reasonably wide"
-    assert box_height > 100, "Merged box should be reasonably tall" 
+    assert box_height > 100, "Merged box should be reasonably tall"

tests/workflows/unit_tests/core_steps/transformations/test_detections_merge.py

@@ -114,4 +114,4 @@ def test_detections_merge_block_empty_input() -> None:
     assert "predictions" in output
     assert len(output["predictions"]) == 0
     assert isinstance(output["predictions"].xyxy, np.ndarray)
-    assert output["predictions"].xyxy.shape == (0, 4) 
+    assert output["predictions"].xyxy.shape == (0, 4)