Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Enable additional upload validators for django-attachments
to block files which may be executed by the browser and cause an issue with users who aren't careful. Test with .exe file from React OS!
- Loading branch information
Showing
10 changed files
with
90 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
tcms.kiwi\_attachments package | ||
============================== | ||
|
||
.. automodule:: tcms.kiwi_attachments | ||
:members: | ||
:undoc-members: | ||
:show-inheritance: | ||
|
||
Submodules | ||
---------- | ||
|
||
.. toctree:: | ||
:maxdepth: 4 | ||
|
||
tcms.kiwi_attachments.validators |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
tcms.kiwi\_attachments.validators module | ||
======================================== | ||
|
||
.. automodule:: tcms.kiwi_attachments.validators | ||
:members: | ||
:undoc-members: | ||
:show-inheritance: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
from attachments.apps import AttachmentsConfig | ||
|
||
from . import validators | ||
|
||
|
||
class AppConfig(AttachmentsConfig): | ||
""" | ||
Defines custom form validators! | ||
""" | ||
|
||
attachment_validators = ( | ||
validators.deny_uploads_ending_in_dot_exe, | ||
validators.deny_uploads_containing_script_tag, | ||
) |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# -*- coding: utf-8 -*- | ||
# pylint: disable=attribute-defined-outside-init, invalid-name, objects-update-used | ||
|
||
import base64 | ||
from xmlrpc.client import Fault | ||
|
||
from tcms.rpc.tests.utils import APITestCase | ||
|
||
|
||
class TestValidators(APITestCase): | ||
def test_uploading_svg_with_inline_script_should_fail(self): | ||
with open("tests/ui/data/inline_javascript.svg", "rb") as svg_file: | ||
b64 = base64.b64encode(svg_file.read()).decode() | ||
|
||
with self.assertRaisesRegex(Fault, "File contains forbidden <script> tag"): | ||
self.rpc_client.User.add_attachment("inline_javascript.svg", b64) | ||
|
||
def test_uploading_filename_ending_in_dot_exe_should_fail(self): | ||
with self.assertRaisesRegex(Fault, "Uploading executable files is forbidden"): | ||
self.rpc_client.User.add_attachment("hello.exe", "a2l3aXRjbXM=") | ||
|
||
def test_uploading_real_exe_file_should_fail(self): | ||
with open("tests/ui/data/reactos_csrss.exe", "rb") as exe_file: | ||
b64 = base64.b64encode(exe_file.read()).decode() | ||
|
||
with self.assertRaisesRegex( | ||
Fault, "Uploading executable files is forbidden" | ||
): | ||
self.rpc_client.User.add_attachment("csrss.exe_from_reactos", b64) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
from django.forms import ValidationError | ||
from django.utils.translation import gettext_lazy as _ | ||
|
||
|
||
def deny_uploads_containing_script_tag(uploaded_file): | ||
for chunk in uploaded_file.chunks(2048): | ||
if chunk.find(b"<script") > -1: | ||
raise ValidationError(_("File contains forbidden <script> tag")) | ||
|
||
|
||
def deny_uploads_ending_in_dot_exe(uploaded_file): | ||
message = _("Uploading executable files is forbidden") | ||
|
||
if uploaded_file.name.find(".exe") > -1: | ||
raise ValidationError(message) | ||
|
||
if uploaded_file.content_type in [ | ||
"application/vnd.microsoft.portable-executable", | ||
"application/x-dosexec", | ||
"application/x-ms-dos-executable", | ||
"application/x-msdownload", | ||
]: | ||
raise ValidationError(message) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.