Validate that resolved session path stays within the sessions directory
using Path.is_relative_to(). Prevents session_id values like
"../../something" from escaping the sandbox.
Also guard the caller in _write_run_event where get_session_path is
called outside the existing OSError try/except block.
Fixes#1000
Co-authored-by: Sidhartha kumar <Alearner12@users.noreply.github.com>
* refactor: remove deprecated storage/backend.py (267 lines)
Delete the fully deprecated FileStorage class and inline its 5 still-active
methods (_validate_key, _load_run_sync, _load_summary_sync, _delete_run_sync,
_list_all_runs_sync) directly into ConcurrentStorage.
Changes:
- Delete core/framework/storage/backend.py (267 lines of no-op/deprecated code)
- Inline active read methods into ConcurrentStorage (no new FileStorage dep)
- Remove deprecated index operations (get_runs_by_goal, get_runs_by_status,
get_runs_by_node, list_all_goals) and their associated locking
- Update __init__.py to export ConcurrentStorage instead of FileStorage
- Update runtime/core.py to use ConcurrentStorage directly
- Fix Runtime.end_run() to call save_run_sync() (sync wrapper) instead of
the async save_run(), which was silently dropping the coroutine
- Update test_path_traversal_fix.py to test ConcurrentStorage._validate_key()
- Clean up test_storage.py — remove all FileStorage test classes, un-skip
ConcurrentStorage tests now that it's self-contained
- Remove stale FileStorage references from testing/test_storage.py docstring,
testing/debug_tool.py docstring, and test_runtime.py skip reasons
All 44 tests pass, ruff check and ruff format clean.
Fixes#6797
* fix(core): address CodeRabbitAI PR review feedback
- Fix critical no-op in ConcurrentStorage._save_run_sync by implementing atomic persistence to
uns/{run_id}.json.
- Update est_path_traversal_fix.py to test ConcurrentStorage directly and use real file paths for end-to-end validation.
- Unskip est_run_saved_on_end and assert actual run file persistence.
- Fix debug_tool.py to use load_run_sync() instead of the async load_run().
* fix(core): address round 2 of CodeRabbitAI reviews
- Add _validate_key to _save_run_sync and _load_summary_sync to enforce path traversal protections on the lowest level APIs.
- Invalidate summary cache and refresh run cache in save_run_sync() to match the async save_run() cache coherence behavior.
- Add tests for load_summary and save_run_sync path traversal rejection.
- Extend PATCH /triggers/{id} to accept trigger_config with cron
validation via croniter and active timer restart
- Add TRIGGER_UPDATED SSE event so frontend updates in real time
- Update frontend API client to use updateTrigger with config support
- Add tests for task update, cron restart, and invalid cron rejection
croniter is used for cron-based timer entry points but was never
declared in pyproject.toml. A fresh install would silently skip
all cron triggers. Add croniter>=1.4.0 to dependencies and raise
RuntimeError instead of silently continuing on ImportError.
Fixes#5353
* fix: preserve custom session ids in runtime logs
Treat any execution stored under sessions/<id> as a session-backed run so custom IDs stay visible in worker-session browsing and unified log APIs. Add regression coverage for custom IDs across executor path selection, log directory creation, and API listing.
Made-with: Cursor
* fix: ignore stray session directories in listing
Keep the session_ prefix as the fast path for worker session discovery, but allow custom IDs when a backing state.json exists. This avoids ghost directories in the UI while preserving the custom session ID support from the original fix.
Made-with: Cursor
Richard Tang