improved file extension checks

DefectDojo · Nov 5, 2024 · c39aeed · c39aeed
1 parent c575dee
commit c39aeed
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 32 deletions.
diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
@@ -804,20 +804,8 @@ class Meta:
 
     def validate(self, data):
         if file := data.get("file"):
-            ext = os.path.splitext(file.name)[1]  # [0] returns path+filename
-            valid_extensions = settings.FILE_UPLOAD_TYPES
-            if ext.lower() not in valid_extensions:
-                if accepted_extensions := f"{', '.join(valid_extensions)}":
-                    msg = (
-                        "Unsupported extension. Supported extensions are as "
-                        f"follows: {accepted_extensions}"
-                    )
-                else:
-                    msg = (
-                        "File uploads are prohibited due to the list of acceptable "
-                        "file extensions being empty"
-                    )
-                raise ValidationError(msg)
+            # the clean will validate the file extensions and raise a Validation error if the extensions are not accepted
+            FileUpload(title=file.name, file=file).clean()
             return data
         return None
 

diff --git a/dojo/importers/base_importer.py b/dojo/importers/base_importer.py
@@ -1,6 +1,5 @@
 import base64
 import logging
-from pathlib import Path
 from typing import List, Tuple
 
 from django.conf import settings
@@ -687,21 +686,6 @@ def process_files(
             for unsaved_file in finding.unsaved_files:
                 data = base64.b64decode(unsaved_file.get("data"))
                 title = unsaved_file.get("title", "<No title>")
-                valid_extensions = settings.FILE_UPLOAD_TYPES
-
-                if Path(title).suffix not in valid_extensions:
-                    if accepted_extensions := f"{', '.join(valid_extensions)}":
-                        msg = (
-                            "Unsupported extension. Supported extensions are as "
-                            f"follows: {accepted_extensions}"
-                        )
-                    else:
-                        msg = (
-                            "File uploads are prohibited due to the list of acceptable "
-                            "file extensions being empty"
-                        )
-                    raise ValidationError(msg)
-
                 file_upload, _ = FileUpload.objects.get_or_create(title=title)
                 file_upload.file.save(title, ContentFile(data))
                 file_upload.save()

diff --git a/dojo/models.py b/dojo/models.py
@@ -6,6 +6,7 @@
 import re
 import warnings
 from datetime import datetime
+from pathlib import Path
 from typing import Dict, Optional, Set
 from uuid import uuid4
 
@@ -733,6 +734,24 @@ def get_accessible_url(self, obj, obj_id):
 
         return f"access_file/{self.id}/{obj_id}/{obj_type}"
 
+    def clean(self):
+        if not self.title:
+            self.title = "<No Title>"
+
+        title = self.title
+        valid_extensions = settings.FILE_UPLOAD_TYPES
+
+        if Path(title).suffix.lower() not in valid_extensions:
+            if accepted_extensions := f"{', '.join(valid_extensions)}":
+                msg = (
+                    _("Unsupported extension. Supported extensions are as follows: %s") % accepted_extensions
+                )
+            else:
+                msg = (
+                    _("File uploads are prohibited due to the list of acceptable file extensions being empty")
+                )
+            raise ValidationError(msg)
+
 
 class Product_Type(models.Model):
 

diff --git a/dojo/tools/generic/json_parser.py b/dojo/tools/generic/json_parser.py
@@ -1,4 +1,8 @@
-from dojo.models import Endpoint, Finding
+import base64
+
+from django.core.files.base import ContentFile
+
+from dojo.models import Endpoint, FileUpload, Finding
 from dojo.tools.parser_test import ParserTest
 
 
@@ -103,6 +107,11 @@ def _get_test_json(self, data):
                         endpoint = Endpoint(**endpoint_item)
                     finding.unsaved_endpoints.append(endpoint)
             if unsaved_files:
+                for unsaved_file in unsaved_files:
+                    data = base64.b64decode(unsaved_file.get("data"))
+                    title = unsaved_file.get("title", "<No title>")
+                    FileUpload(title=title, file=ContentFile(data)).clean()
+
                 finding.unsaved_files = unsaved_files
             if finding.cve:
                 finding.unsaved_vulnerability_ids = [finding.cve]

diff --git a/unittests/scans/generic/test_with_image_no_ext.json b/unittests/scans/generic/test_with_image_no_ext.json
@@ -1,5 +1,5 @@
 {
-    "title": "My wonderfull report",
+    "title": "My wonderful report",
     "findings": [
         {
             "title": "Vuln with image and no extension",