forgejo_admin/minio-api
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

QA nits from PR #2: memory pattern, head_bucket error handling, Content-Disposition injection #3

New issue
Open
opened 2026-03-22 07:24:15 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-22 07:24:15 +00:00
Owner
Copy link

Type

Bug

Repo

forgejo_admin/minio-api

What Broke

QA review of PR #2 identified 4 non-blocking nits:

  1. Memory accumulation in put_object — chunks appended to bytearray but entire content held in memory during SDK call
  2. Missing MinioError catch in head_bucket/bucket_exists — raw exception could leak
  3. Content-Disposition header injection — unquoted filename from user input in download response
  4. Stale test count in PR body (cosmetic)

Repro Steps

  1. Upload a 90MB file via PUT — entire file held in memory as bytearray
  2. Call HEAD on nonexistent bucket — potential unhandled exception
  3. Upload file with name containing "; rm -rf / — Content-Disposition header unsanitized

Expected Behavior

  1. Streaming upload to SDK without full memory buffering (or document the 100MB cap as acceptable)
  2. All MinIO errors caught and returned as structured JSON
  3. Filename sanitized or quoted in Content-Disposition header

Environment

  • minio-api main branch (post PR #2 merge)
  • Python 3.12, FastAPI

Lineage

plan-minio-mobile → Phase 2a (QA nits from PR #2)

File Targets

  • src/minio_api/routes/objects.py — memory pattern, Content-Disposition
  • src/minio_api/routes/buckets.py — head_bucket error handling

Acceptance Criteria

  • Content-Disposition filename properly quoted/sanitized
  • head_bucket wraps MinioError
  • Memory pattern documented or improved

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • phase-minio-mobile-2a-fastapi-routes — source phase
### Type Bug ### Repo `forgejo_admin/minio-api` ### What Broke QA review of PR #2 identified 4 non-blocking nits: 1. Memory accumulation in `put_object` — chunks appended to bytearray but entire content held in memory during SDK call 2. Missing `MinioError` catch in `head_bucket`/`bucket_exists` — raw exception could leak 3. `Content-Disposition` header injection — unquoted filename from user input in download response 4. Stale test count in PR body (cosmetic) ### Repro Steps 1. Upload a 90MB file via PUT — entire file held in memory as bytearray 2. Call HEAD on nonexistent bucket — potential unhandled exception 3. Upload file with name containing `"; rm -rf /` — Content-Disposition header unsanitized ### Expected Behavior 1. Streaming upload to SDK without full memory buffering (or document the 100MB cap as acceptable) 2. All MinIO errors caught and returned as structured JSON 3. Filename sanitized or quoted in Content-Disposition header ### Environment - minio-api main branch (post PR #2 merge) - Python 3.12, FastAPI ### Lineage `plan-minio-mobile` → Phase 2a (QA nits from PR #2) ### File Targets - `src/minio_api/routes/objects.py` — memory pattern, Content-Disposition - `src/minio_api/routes/buckets.py` — head_bucket error handling ### Acceptance Criteria - [ ] Content-Disposition filename properly quoted/sanitized - [ ] head_bucket wraps MinioError - [ ] Memory pattern documented or improved ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `phase-minio-mobile-2a-fastapi-routes` — source phase
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/minio-api#3
No description provided.