From 745c10e0d7a6be3325f188b39a95cb64c2f0a783 Mon Sep 17 00:00:00 2001
From: RaresKeY <158580472+RaresKeY@users.noreply.github.com>
Date: Tue, 16 Jun 2026 05:28:09 +0300
Subject: [PATCH] fix(gallery): confine gallery image path resolution (#4352)

---
 routes/gallery_routes.py                   |  8 --------
 tests/test_gallery_filename_confinement.py | 16 ++++++++++++++++
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/routes/gallery_routes.py b/routes/gallery_routes.py
index 808f8488e..38bb51cdd 100644
--- a/routes/gallery_routes.py
+++ b/routes/gallery_routes.py
@@ -67,14 +67,6 @@ def _gallery_image_path(filename: str) -> Path:
         raise HTTPException(400, "Unsafe gallery filename")
     if safe_name != original:
         raise HTTPException(400, "Unsafe gallery filename")
-    if not path.exists():
-        cwd_root = (Path.cwd() / "data" / "generated_images").resolve()
-        cwd_path = (cwd_root / safe_name).resolve()
-        try:
-            if os.path.commonpath([str(cwd_root), str(cwd_path)]) == str(cwd_root) and cwd_path.exists():
-                return cwd_path
-        except Exception:
-            pass
     return path
 
 
diff --git a/tests/test_gallery_filename_confinement.py b/tests/test_gallery_filename_confinement.py
index 5bed85fe4..02ae460a0 100644
--- a/tests/test_gallery_filename_confinement.py
+++ b/tests/test_gallery_filename_confinement.py
@@ -28,6 +28,22 @@ def test_gallery_image_path_allows_safe_filename(tmp_path, monkeypatch):
     assert path == image_dir / "abc123.png"
 
 
+def test_gallery_image_path_does_not_fallback_to_cwd_data_dir(tmp_path, monkeypatch):
+    gallery_routes = _gallery_module()
+    configured_dir = tmp_path / "configured" / "generated_images"
+    cwd_root = tmp_path / "cwd"
+    cwd_image_dir = cwd_root / "data" / "generated_images"
+    cwd_image_dir.mkdir(parents=True)
+    (cwd_image_dir / "abc123.png").write_bytes(b"wrong root")
+    monkeypatch.setattr(gallery_routes, "GALLERY_IMAGE_DIR", configured_dir)
+    monkeypatch.chdir(cwd_root)
+
+    path = gallery_routes._gallery_image_path("abc123.png")
+
+    assert path == configured_dir / "abc123.png"
+    assert path != cwd_image_dir / "abc123.png"
+
+
 @pytest.mark.parametrize("filename", ["../../secret.png", "..\\secret.png", None, 12345])
 def test_gallery_image_path_rejects_unsafe_stored_filenames(tmp_path, monkeypatch, filename):
     gallery_routes = _gallery_module()