[Bug] Missing session validation in file download routes causes 500 Internal Server Error

[krrishrastogi05]

Summary

In Routes/DataFile/DataFileRoute.py, GET routes (/downloadFile, /downloadCSVFile, /downloadResultsFile) construct file paths using case = session.get('osycase', None). If a session is expired or missing, None is passed into pathlib.Path(). This triggers a TypeError: expected str, bytes or os.PathLike object, not NoneType. Since the routes only catch IOError, the server crashes with a 500 Internal Server Error.

Expected behavior

The routes should validate that the session case and necessary URL parameters exist before passing them to Path(). If they are missing, the server should safely return a 400 Bad Request.

Reproduction steps

1. Start the server and ensure you do not have an active osycase in your session.

2. Send a GET request to a download endpoint: curl -X GET "http://127.0.0.1:5002/downloadFile?file=test.csv"

3. Observe the Flask app crash with a TypeError in the logs and a 500 status returned to the client.

Environment

• Branch: main (EAPD-DRB/MUIOGO)

• Component: Routes/DataFile/DataFileRoute.py

Logs or screenshots

The crash occurs at the Path construction:

Python

case = session.get('osycase', None)
dataFile = Path(Config.DATA_STORAGE, case, 'res', 'csv', file) # <--- TypeError triggered here

[SeaCelo]

Keeping this issue as the canonical tracker for this bug. The current implementation PR is #416, which now covers both the missing-session crash and the missing-parameter crash paths across the download routes.

[SeaCelo]

fixed with #416