Code review findings: security, correctness, and modernization issues

[Claude]

Comprehensive code review of the modernized FastAPI file uploader identified critical security vulnerabilities, correctness issues, and areas for improvement.

Findings

Critical

• Typo in util/credentialStore.py:4: class credentailStore → should be credentialStore
• Deprecated FastAPI event handler: @app.on_event("startup") → migrate to lifespan context manager
• Security info disclosure in util/misc.py:56: exception exposes internal file paths

High Priority

• Path traversal vulnerability in util/misc.py:29: unsafe UPLOAD_PATH + file.filename concatenation allows ../ attacks
• Missing await in main.py:34: async uploadFile(file) called without await
• Logic error in main.py:31: when _filename_len == 1, using [_filename_len - 1] gets index 0 (base name, not extension)
• Type hint error in util/filenameGenerator.py:7: returns string module instead of str type
• Missing list parsing in util/envVars.py:21: getAllowedContentTypes() returns raw string, not List[str]

Medium Priority

• Overly broad except Exception in util/misc.py:55
• Missing file handle cleanup in error paths
• No file size limits, rate limiting, or filename validation
• Wildcard imports obscure dependencies
• Debug print() statements instead of structured logging

Security Recommendations

# Current vulnerable code
with open(configuration.UPLOAD_PATH + file.filename, 'wb') as f:
    f.write(content)

# Should sanitize paths
from pathlib import Path
safe_path = (Path(configuration.UPLOAD_PATH) / Path(file.filename).name).resolve()
if not safe_path.is_relative_to(Path(configuration.UPLOAD_PATH).resolve()):
    raise ValueError("Invalid filename")

Add file size limits, rate limiting, and proper input validation to prevent DoS and path traversal attacks.