refactor: consolidate sensitive path env vars into PYATLAN_UPLOAD_FILE_BLOCKED_PATHS

Replace three separate env vars (PYATLAN_SENSITIVE_SYSTEM_PREFIXES,
PYATLAN_SENSITIVE_DIR_NAMES, PYATLAN_SENSITIVE_FILE_PREFIXES) with a single
PYATLAN_UPLOAD_FILE_BLOCKED_PATHS that accepts comma-separated path patterns
matched as substrings against the full resolved file path. Also update the
error message from "Access to sensitive" to "Access to blocked".

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Aryamanz29

pyatlan/client/common/file.py

@@ -5,7 +5,6 @@
 from typing import Any
 
 # System directories that must never be read from.
-# Extend via PYATLAN_SENSITIVE_SYSTEM_PREFIXES (comma-separated paths, e.g. "/vault/,/secrets/")
 _SENSITIVE_SYSTEM_PREFIXES = (
     "/etc/",
     "/proc/",
@@ -17,11 +16,9 @@
 )
 
 # Hidden credential/config directories that must never be read from.
-# Extend via PYATLAN_SENSITIVE_DIR_NAMES (comma-separated names, e.g. ".vault,.myconfig")
 _SENSITIVE_DIR_NAMES = frozenset({".aws", ".ssh", ".gnupg"})
 
 # File name prefixes for environment/secret files.
-# Extend via PYATLAN_SENSITIVE_FILE_PREFIXES (comma-separated prefixes, e.g. ".secrets,.credentials")
 _SENSITIVE_FILE_PREFIXES = (".env",)
 
 
@@ -96,30 +93,31 @@ def validate_file_path(file_path: str) -> Any:
         resolved = path.resolve()
         resolved_str = str(resolved)
 
-        system_prefixes = _SENSITIVE_SYSTEM_PREFIXES + tuple(
-            _parse_env_list("PYATLAN_SENSITIVE_SYSTEM_PREFIXES")
-        )
-        dir_names = _SENSITIVE_DIR_NAMES | frozenset(
-            _parse_env_list("PYATLAN_SENSITIVE_DIR_NAMES")
-        )
-        file_prefixes = _SENSITIVE_FILE_PREFIXES + tuple(
-            _parse_env_list("PYATLAN_SENSITIVE_FILE_PREFIXES")
-        )
-
         # Block sensitive system directories (e.g. /etc/, /proc/, /dev/)
-        if resolved_str.startswith(system_prefixes):
+        if resolved_str.startswith(_SENSITIVE_SYSTEM_PREFIXES):
             raise ErrorCode.INVALID_UPLOAD_FILE_PATH_SENSITIVE.exception_with_parameters(
                 file_path
             )
 
         # Block credential/config hidden directories (e.g. .aws, .ssh, .gnupg)
-        if any(part in dir_names for part in resolved.parts):
+        if any(part in _SENSITIVE_DIR_NAMES for part in resolved.parts):
             raise ErrorCode.INVALID_UPLOAD_FILE_PATH_SENSITIVE.exception_with_parameters(
                 file_path
             )
 
         # Block environment/secret files (e.g. .env, .env.local, .env.production)
-        if resolved.name.startswith(file_prefixes):
+        if resolved.name.startswith(_SENSITIVE_FILE_PREFIXES):
+            raise ErrorCode.INVALID_UPLOAD_FILE_PATH_SENSITIVE.exception_with_parameters(
+                file_path
+            )
+
+        # Block user-defined paths via PYATLAN_UPLOAD_FILE_BLOCKED_PATHS (comma-separated).
+        # Each entry is matched as a substring against the full resolved path, so it
+        # can express system prefixes ("/vault/"), dir names (".vault"), or
+        # file prefixes (".credentials").
+        # e.g. PYATLAN_UPLOAD_FILE_BLOCKED_PATHS="/custom/secrets/,.vault,.credentials"
+        user_blocked = _parse_env_list("PYATLAN_UPLOAD_FILE_BLOCKED_PATHS")
+        if any(pattern in resolved_str for pattern in user_blocked):
             raise ErrorCode.INVALID_UPLOAD_FILE_PATH_SENSITIVE.exception_with_parameters(
                 file_path
             )

pyatlan/errors.py

@@ -685,8 +685,8 @@ class ErrorCode(Enum):
     INVALID_UPLOAD_FILE_PATH_SENSITIVE = (
         400,
         "ATLAN-PYTHON-400-078",
-        "Access to sensitive file path is not allowed: {0}.",
-        "Ensure the file path does not point to sensitive system files or credential directories.",
+        "Access to blocked file path is not allowed: {0}.",
+        "Ensure the file path does not point to a blocked location (system files, credential directories, or paths defined in PYATLAN_UPLOAD_FILE_BLOCKED_PATHS).",
         InvalidRequestError,
     )
     AUTHENTICATION_PASSTHROUGH = (

tests/unit/test_file_client.py

@@ -172,29 +172,29 @@ def test_file_client_methods_validation_error(client, method, params):
         # Sensitive system files
         [
             "/etc/passwd",
-            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+            "ATLAN-PYTHON-400-078 Access to blocked file path is not allowed",
         ],
         [
             "/etc/shadow",
-            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+            "ATLAN-PYTHON-400-078 Access to blocked file path is not allowed",
         ],
         # Credential directories
         [
             "/home/user/.aws/credentials",
-            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+            "ATLAN-PYTHON-400-078 Access to blocked file path is not allowed",
         ],
         [
             "/home/user/.ssh/id_rsa",
-            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+            "ATLAN-PYTHON-400-078 Access to blocked file path is not allowed",
         ],
         # Environment files
         [
             "/app/.env",
-            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+            "ATLAN-PYTHON-400-078 Access to blocked file path is not allowed",
         ],
         [
             "/app/.env.production",
-            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+            "ATLAN-PYTHON-400-078 Access to blocked file path is not allowed",
         ],
     ],
 )
@@ -211,21 +211,21 @@ def test_file_client_upload_file_raises_invalid_request_error(
 
 
 @pytest.mark.parametrize(
-    "env_var, env_value, file_path",
+    "env_value, file_path",
     [
-        ("PYATLAN_SENSITIVE_SYSTEM_PREFIXES", "/custom/secrets/", "/custom/secrets/key"),
-        ("PYATLAN_SENSITIVE_DIR_NAMES", ".vault", "/home/user/.vault/token"),
-        ("PYATLAN_SENSITIVE_FILE_PREFIXES", ".credentials", "/app/.credentials.prod"),
+        ("/custom/secrets/", "/custom/secrets/key"),
+        (".vault", "/home/user/.vault/token"),
+        (".credentials", "/app/.credentials.prod"),
     ],
 )
 def test_file_client_upload_file_user_defined_sensitive_paths(
-    monkeypatch, mock_api_caller, env_var, env_value, file_path
+    monkeypatch, mock_api_caller, env_value, file_path
 ):
-    monkeypatch.setenv(env_var, env_value)
+    monkeypatch.setenv("PYATLAN_UPLOAD_FILE_BLOCKED_PATHS", env_value)
     client = FileClient(client=mock_api_caller)
     with pytest.raises(
         InvalidRequestError,
-        match="ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+        match="ATLAN-PYTHON-400-078 Access to blocked file path is not allowed",
     ):
         client.upload_file(presigned_url="test-url", file_path=file_path)