Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add stronger validation for storage path on upload complete endpoints #2047

Merged
merged 4 commits into from
Nov 7, 2024
Merged

Add stronger validation for storage path on upload complete endpoints #2047

merged 4 commits into from
Nov 7, 2024

Conversation

carolinemodic
Copy link
Contributor

#2039

Validates that the storage path passed to upload-complete is the expected path before saving.

jonahkagan
jonahkagan reviewed Nov 6, 2024
View reviewed changes
server/util/file.py Outdated
def validate_and_get_standard_file_upload_request_params(
request: Request,
validate_storage_path: Callable[[str], None],
validate_file_type: Callable[[str], None],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a reader, it's a little complicated to grok the call sites of this function. It seems like they are mostly doing the same thing, so I wonder if this function could have the following signature:

def validate_and_get_standard_file_upload_request_params(
  request: Request,
  expected_file_directory_path: str,
  expected_file_name_prefix: str,
  expected_file_extension: str | List[str]
  expected_file_type: str | List[str]
)

Also, I'm realizing that file types and file extensions are in a predefined mapping, so maybe we could pull that out into a constant and just pass in one of them.

@carolinemodic carolinemodic force-pushed the caro/add_validation_storage_path branch 2 times, most recently from 75c72c2 to fde2835 Compare November 7, 2024 17:02
jonahkagan
jonahkagan approved these changes Nov 7, 2024
View reviewed changes
Copy link
Contributor

@jonahkagan jonahkagan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Excited to see where we can use FileType further!

server/api/batch_inventory.py Outdated
validate_zip_mimetype(file_type)
else:
expected_file_types = [FileType.ZIP]
elif batch_inventory_data.system_type != CvrFileType.DOMINION:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a little confusing that the dominion case is set as a default at the top and then checked as the last case in the if/else chain. Now that this is just a mapping from CvrFileType to List[FileType], maybe we could just use a dict?

server/tests/batch_comparison/test_batch_inventory.py
@@ -316,7 +316,7 @@ def test_batch_inventory_happy_path(
json.loads(rv.data),
{
"file": {
"name": asserts_startswith("batchTallies"),
"name": asserts_startswith("batch_tallies"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: should we be consistent with file prefixes using either hyphen or underscore word separators? I noticed there's a mix

@carolinemodic carolinemodic force-pushed the caro/add_validation_storage_path branch from fde2835 to 2031ffc Compare November 7, 2024 19:29
@carolinemodic carolinemodic enabled auto-merge (squash) November 7, 2024 19:37
@carolinemodic carolinemodic merged commit 00030b4 into main Nov 7, 2024
5 checks passed
@carolinemodic carolinemodic deleted the caro/add_validation_storage_path branch November 7, 2024 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonahkagan jonahkagan jonahkagan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@carolinemodic @jonahkagan