Object File Uploads: Add validations and download functionality (#10183)

DefectDojo · May 13, 2024 · 3cff053 · 3cff053
1 parent dd1aefc
commit 3cff053
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 5 deletions.
diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
@@ -1,5 +1,6 @@
 import json
 import logging
+import os
 import re
 from datetime import datetime
 from typing import List
@@ -797,6 +798,24 @@ class Meta:
         model = FileUpload
         fields = "__all__"
 
+    def validate(self, data):
+        if file := data.get("file"):
+            ext = os.path.splitext(file.name)[1]  # [0] returns path+filename
+            valid_extensions = settings.FILE_UPLOAD_TYPES
+            if ext.lower() not in valid_extensions:
+                if accepted_extensions := f"{', '.join(valid_extensions)}":
+                    msg = (
+                        "Unsupported extension. Supported extensions are as "
+                        f"follows: {accepted_extensions}"
+                    )
+                else:
+                    msg = (
+                        "File uploads are prohibited due to the list of acceptable "
+                        "file extensions being empty"
+                    )
+                raise ValidationError(msg)
+            return data
+
 
 class RawFileSerializer(serializers.ModelSerializer):
     file = serializers.FileField(required=True)

diff --git a/dojo/forms.py b/dojo/forms.py
@@ -850,13 +850,22 @@ def clean(self):
             # Don't bother validating the formset unless each form is valid on its own
             return
         for form in self.forms:
-            print(dir(form))
             file = form.cleaned_data.get('file', None)
             if file:
                 ext = os.path.splitext(file.name)[1]  # [0] returns path+filename
                 valid_extensions = settings.FILE_UPLOAD_TYPES
                 if ext.lower() not in valid_extensions:
-                    form.add_error('file', 'Unsupported file extension.')
+                    if accepted_extensions := f"{', '.join(valid_extensions)}":
+                        msg = (
+                            "Unsupported extension. Supported extensions are as "
+                            f"follows: {accepted_extensions}"
+                        )
+                    else:
+                        msg = (
+                            "File uploads are prohibited due to the list of acceptable "
+                            "file extensions being empty"
+                        )
+                    form.add_error('file', msg)
 
 
 ManageFileFormSet = modelformset_factory(FileUpload, extra=3, max_num=10, fields=['title', 'file'], can_delete=True, formset=BaseManageFileFormSet)

diff --git a/dojo/templates/dojo/view_eng.html b/dojo/templates/dojo/view_eng.html
@@ -691,7 +691,7 @@ <h4>Files<span class="pull-right">
                                 <div class="col-md-2" style="text-align: center">
                                     <div class="row">
                                         {% url 'access_file' fid=file.id oid=eng.id obj_type='Engagement' as image_url %}
-                                        <a href="{{ image_url }}" target="_blank">
+                                        <a href="{{ image_url }}" target="_blank" download>
                                             {% if file|get_thumbnail %}
                                                 <img src="{{ image_url }}" alt="thumbnail" style="width:150px">
                                             {% else %}

diff --git a/dojo/templates/dojo/view_finding.html b/dojo/templates/dojo/view_finding.html
@@ -943,7 +943,7 @@ <h4>Files<span class="pull-right">
                             <div class="col-md-2" style="text-align: center">
                                 <div class="row">
                                     {% url 'access_file' fid=file.id oid=finding.id obj_type='Finding' as image_url %}
-                                    <a href="{{ image_url }}" target="_blank">
+                                    <a href="{{ image_url }}" target="_blank" download>
                                         {% if file|get_thumbnail %}
                                             <img src="{{ image_url }}" alt="thumbnail" style="width:150px">
                                         {% else %}

diff --git a/dojo/templates/dojo/view_test.html b/dojo/templates/dojo/view_test.html
@@ -1551,7 +1551,7 @@ <h4>
                         <div class="col-md-2" style="text-align: center">
                             <div class="row">
                                 {% url 'access_file' fid=file.id oid=test.id obj_type='Test' as image_url %}
-                                <a href="{{ image_url }}" target="_blank">
+                                <a href="{{ image_url }}" target="_blank" download>
                                     {% if file|get_thumbnail %}
                                         <img src="{{ image_url }}" alt="thumbnail" style="width:150px">
                                     {% else %}