Upload authorization (Python workflow)
A Python workflow service has an older upload path that still accepts caller-controlled files. The task is to bring that path under the same authorization and upload-size boundary as the supported flow while preserving the response shape callers already rely on.
| Dimension | Preview |
|---|---|
| Ecosystem | Python |
| CWE class | CWE-285 (Improper Authorization), CWE-770 (resource limits) |
| Security theme | Authorization and upload limits |
| Work type | Route hardening with compatibility constraints |
| Disclosure | Class-level security brief |
| Grading focus | Auth behavior, size-limit behavior, and normal upload compatibility |
Environment
The agent has to compare related route implementations and repair the path that is out of policy. A one-line guard is not sufficient if it changes argument binding, skips the limit path, or alters the endpoint contract.
Evaluation focus
The environment separates complete authorization and limit coverage from fixes that guard the wrong path, skip the size boundary, or change endpoint behavior. Strong solutions keep the existing response contract intact while closing the legacy path.