Skip to content

fix(api): prevent upload filename collisions and reject unsupported image URLs#3187

Merged
Re-bin merged 3 commits intoHKUDS:mainfrom
mohamed-elkholy95:fix/api-upload-safety
Apr 16, 2026
Merged

fix(api): prevent upload filename collisions and reject unsupported image URLs#3187
Re-bin merged 3 commits intoHKUDS:mainfrom
mohamed-elkholy95:fix/api-upload-safety

Conversation

@mohamed-elkholy95
Copy link
Copy Markdown
Contributor

@mohamed-elkholy95 mohamed-elkholy95 commented Apr 15, 2026

Summary

Three fixes for the API upload handling in /v1/chat/completions:

  • Filename collision prevention — Multipart file uploads now prefix the client filename with a UUID ({uuid}_{filename}), preventing overwrites when concurrent requests upload files with the same name. Base64 data URL uploads already used UUIDs and were not affected.
  • Reject unsupported image URLs — JSON image_url content blocks with remote HTTPS URLs now return a 400 error with a clear message instead of silently dropping the image. Only data: base64 URLs are supported.
  • Consistent model validation — Model validation now runs after both JSON and multipart parsing paths, fixing an inconsistency where multipart requests bypassed the model check entirely.

Test plan

  • All 37 existing API tests pass (2 skipped due to missing python-docx optional dep)
  • test_multipart_upload_saves_file — verifies file saving still works with UUID prefix
  • test_model_mismatch_returns_400 — verifies model validation
  • Manual verification: two uploads with same filename produce distinct paths

mohamed-elkholy95 and others added 3 commits April 15, 2026 13:58
@mohamed-elkholy95
fix(api): prevent upload filename collisions, reject unsupported imag…
d73505d 
…e URLs

Three fixes in the API upload handling:

1. Multipart uploads now prefix filenames with a UUID to prevent
   overwrites when two requests upload files with the same name.
2. JSON image_url content blocks with remote HTTPS URLs now return
   a 400 error instead of silently dropping the image.
3. Model validation runs for both JSON and multipart requests,
   fixing an inconsistency where multipart bypassed the check.
@Re-bin
Merge remote-tracking branch 'origin/main' into pr-3187
0b63877
@Re-bin
test(api): cover remote image URL rejection
ea6548f
Re-bin
Re-bin approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@Re-bin Re-bin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ;)

@Re-bin Re-bin merged commit 7ce8f24 into HKUDS:main Apr 16, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Re-bin Re-bin Re-bin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mohamed-elkholy95 @Re-bin