From 3cff0533361b1f9212e427c263565c82dee6ce1a Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Mon, 13 May 2024 11:33:01 -0500
Subject: [PATCH] Object File Uploads: Add validations and download
 functionality (#10183)

---
 dojo/api_v2/serializers.py            | 19 +++++++++++++++++++
 dojo/forms.py                         | 13 +++++++++++--
 dojo/templates/dojo/view_eng.html     |  2 +-
 dojo/templates/dojo/view_finding.html |  2 +-
 dojo/templates/dojo/view_test.html    |  2 +-
 5 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
index c8ab20cc33e..74ffe721c3f 100644
--- a/dojo/api_v2/serializers.py
+++ b/dojo/api_v2/serializers.py
@@ -1,5 +1,6 @@
 import json
 import logging
+import os
 import re
 from datetime import datetime
 from typing import List
@@ -797,6 +798,24 @@ class Meta:
         model = FileUpload
         fields = "__all__"
 
+    def validate(self, data):
+        if file := data.get("file"):
+            ext = os.path.splitext(file.name)[1]  # [0] returns path+filename
+            valid_extensions = settings.FILE_UPLOAD_TYPES
+            if ext.lower() not in valid_extensions:
+                if accepted_extensions := f"{', '.join(valid_extensions)}":
+                    msg = (
+                        "Unsupported extension. Supported extensions are as "
+                        f"follows: {accepted_extensions}"
+                    )
+                else:
+                    msg = (
+                        "File uploads are prohibited due to the list of acceptable "
+                        "file extensions being empty"
+                    )
+                raise ValidationError(msg)
+            return data
+
 
 class RawFileSerializer(serializers.ModelSerializer):
     file = serializers.FileField(required=True)
diff --git a/dojo/forms.py b/dojo/forms.py
index 0bf5429f717..09b8c33949b 100644
--- a/dojo/forms.py
+++ b/dojo/forms.py
@@ -850,13 +850,22 @@ def clean(self):
             # Don't bother validating the formset unless each form is valid on its own
             return
         for form in self.forms:
-            print(dir(form))
             file = form.cleaned_data.get('file', None)
             if file:
                 ext = os.path.splitext(file.name)[1]  # [0] returns path+filename
                 valid_extensions = settings.FILE_UPLOAD_TYPES
                 if ext.lower() not in valid_extensions:
-                    form.add_error('file', 'Unsupported file extension.')
+                    if accepted_extensions := f"{', '.join(valid_extensions)}":
+                        msg = (
+                            "Unsupported extension. Supported extensions are as "
+                            f"follows: {accepted_extensions}"
+                        )
+                    else:
+                        msg = (
+                            "File uploads are prohibited due to the list of acceptable "
+                            "file extensions being empty"
+                        )
+                    form.add_error('file', msg)
 
 
 ManageFileFormSet = modelformset_factory(FileUpload, extra=3, max_num=10, fields=['title', 'file'], can_delete=True, formset=BaseManageFileFormSet)
diff --git a/dojo/templates/dojo/view_eng.html b/dojo/templates/dojo/view_eng.html
index 35f27e434d3..7189c7326de 100644
--- a/dojo/templates/dojo/view_eng.html
+++ b/dojo/templates/dojo/view_eng.html
@@ -691,7 +691,7 @@ <h4>Files<span class="pull-right">
                                 <div class="col-md-2" style="text-align: center">
                                     <div class="row">
                                         {% url 'access_file' fid=file.id oid=eng.id obj_type='Engagement' as image_url %}
-                                        <a href="{{ image_url }}" target="_blank">
+                                        <a href="{{ image_url }}" target="_blank" download>
                                             {% if file|get_thumbnail %}
                                                 <img src="{{ image_url }}" alt="thumbnail" style="width:150px">
                                             {% else %}
diff --git a/dojo/templates/dojo/view_finding.html b/dojo/templates/dojo/view_finding.html
index 7557f3cc687..5c1304c796f 100755
--- a/dojo/templates/dojo/view_finding.html
+++ b/dojo/templates/dojo/view_finding.html
@@ -943,7 +943,7 @@ <h4>Files<span class="pull-right">
                             <div class="col-md-2" style="text-align: center">
                                 <div class="row">
                                     {% url 'access_file' fid=file.id oid=finding.id obj_type='Finding' as image_url %}
-                                    <a href="{{ image_url }}" target="_blank">
+                                    <a href="{{ image_url }}" target="_blank" download>
                                         {% if file|get_thumbnail %}
                                             <img src="{{ image_url }}" alt="thumbnail" style="width:150px">
                                         {% else %}
diff --git a/dojo/templates/dojo/view_test.html b/dojo/templates/dojo/view_test.html
index 5ba55741340..1163877d746 100644
--- a/dojo/templates/dojo/view_test.html
+++ b/dojo/templates/dojo/view_test.html
@@ -1551,7 +1551,7 @@ <h4>
                         <div class="col-md-2" style="text-align: center">
                             <div class="row">
                                 {% url 'access_file' fid=file.id oid=test.id obj_type='Test' as image_url %}
-                                <a href="{{ image_url }}" target="_blank">
+                                <a href="{{ image_url }}" target="_blank" download>
                                     {% if file|get_thumbnail %}
                                         <img src="{{ image_url }}" alt="thumbnail" style="width:150px">
                                     {% else %}