openeo-python-client icon indicating copy to clipboard operation
openeo-python-client copied to clipboard
verified publisher icon Open-EO

don't assume asset key can directly be used as download file name

Open soxofaan opened this issue 3 months ago • 2 comments

the batch job result asset download logic currently works with the assumption that the asset key can directly be used as target file name. While this is currently true for probably most backends, this is just based on a weak suggestion from openEO API:

Dictionary of asset objects for data that can be downloaded, each with a unique key. The keys MAY be used by clients as file names.

and this suggestion might be further weakened when further aligning with vanilla STAC.

Aspects to be taken into account here:

  • key contains characters that are generally not filename-friendly
  • key contains directory separators (which might break the download, or, worse, form a vector for security issues)
  • key doesn't have expected file extension, while href does have a more useful extension (which might annoy users)

soxofaan avatar Oct 21 '25 15:10 soxofaan

FYI, from https://github.com/Open-EO/openeo-geopyspark-driver/issues/291#issuecomment-1352879782:

Adding this sentence above to the spec might not have been the wisest decision.

bossie avatar Oct 27 '25 13:10 bossie

interesting pointer,

so probably even better to escalate this to level of openeo-api:

  • https://github.com/Open-EO/openeo-api/issues/579

soxofaan avatar Oct 27 '25 16:10 soxofaan