FileUpload Base64 extension fix (#11203)

* initial files but likely to change * improved file extension checks * remove os import * Use file url * not used imports, file url or title
DefectDojo · Nov 11, 2024 · ca96f34 · ca96f34
1 parent f092d81
commit ca96f34
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 16 deletions.
diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
@@ -1,6 +1,5 @@
 import json
 import logging
-import os
 import re
 from datetime import datetime
 
@@ -803,20 +802,8 @@ class Meta:
 
     def validate(self, data):
         if file := data.get("file"):
-            ext = os.path.splitext(file.name)[1]  # [0] returns path+filename
-            valid_extensions = settings.FILE_UPLOAD_TYPES
-            if ext.lower() not in valid_extensions:
-                if accepted_extensions := f"{', '.join(valid_extensions)}":
-                    msg = (
-                        "Unsupported extension. Supported extensions are as "
-                        f"follows: {accepted_extensions}"
-                    )
-                else:
-                    msg = (
-                        "File uploads are prohibited due to the list of acceptable "
-                        "file extensions being empty"
-                    )
-                raise ValidationError(msg)
+            # the clean will validate the file extensions and raise a Validation error if the extensions are not accepted
+            FileUpload(title=file.name, file=file).clean()
             return data
         return None
 

diff --git a/dojo/models.py b/dojo/models.py
@@ -6,6 +6,7 @@
 import re
 import warnings
 from datetime import datetime
+from pathlib import Path
 from uuid import uuid4
 
 import hyperlink
@@ -741,6 +742,28 @@ def get_accessible_url(self, obj, obj_id):
 
         return f"access_file/{self.id}/{obj_id}/{obj_type}"
 
+    def clean(self):
+        if not self.title:
+            self.title = "<No Title>"
+
+        valid_extensions = settings.FILE_UPLOAD_TYPES
+
+        # why does this not work with self.file....
+        if self.file:
+            file_name = self.file.url
+        else:
+            file_name = self.title
+        if Path(file_name).suffix.lower() not in valid_extensions:
+            if accepted_extensions := f"{', '.join(valid_extensions)}":
+                msg = (
+                    _("Unsupported extension. Supported extensions are as follows: %s") % accepted_extensions
+                )
+            else:
+                msg = (
+                    _("File uploads are prohibited due to the list of acceptable file extensions being empty")
+                )
+            raise ValidationError(msg)
+
 
 class Product_Type(models.Model):
 

diff --git a/dojo/tools/generic/json_parser.py b/dojo/tools/generic/json_parser.py
@@ -1,4 +1,8 @@
-from dojo.models import Endpoint, Finding
+import base64
+
+from django.core.files.base import ContentFile
+
+from dojo.models import Endpoint, FileUpload, Finding
 from dojo.tools.parser_test import ParserTest
 
 
@@ -103,6 +107,11 @@ def _get_test_json(self, data):
                         endpoint = Endpoint(**endpoint_item)
                     finding.unsaved_endpoints.append(endpoint)
             if unsaved_files:
+                for unsaved_file in unsaved_files:
+                    data = base64.b64decode(unsaved_file.get("data"))
+                    title = unsaved_file.get("title", "<No title>")
+                    FileUpload(title=title, file=ContentFile(data)).clean()
+
                 finding.unsaved_files = unsaved_files
             if finding.cve:
                 finding.unsaved_vulnerability_ids = [finding.cve]

diff --git a/unittests/scans/generic/test_with_image_no_ext.json b/unittests/scans/generic/test_with_image_no_ext.json