Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix Unrestricted Upload of File with Dangerous Type (from Huntr bug b…
…ounty report)
  • Loading branch information
MaKyOtOx committed Dec 14, 2021
1 parent bafc9bb commit 2287c97
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 4 deletions.
2 changes: 1 addition & 1 deletion app/urls.py
Expand Up @@ -28,7 +28,7 @@ def i18n_javascript(request):
handler500 = 'app.views.custom_error'


api_schema_view = get_swagger_view(title='PatrOwl Manager REST-API')
api_schema_view = get_swagger_view(title='PatrowlManager REST-API')

urlpatterns = [
url(r'^apis-doc', api_schema_view),
Expand Down
19 changes: 16 additions & 3 deletions findings/forms.py
@@ -1,5 +1,6 @@
# -*- coding: utf-8 -*-

import os
from django import forms
from .models import Finding, FINDING_SEVERITIES

Expand All @@ -9,6 +10,13 @@
)


def validate_file_extension(value):
ext = os.path.splitext(value.name)[1]
valid_extensions = ['.xml', '.nessus', '.json']
if ext not in valid_extensions:
raise ValidationError(u'File not supported!')


class ImportFindingsForm(forms.Form):
class Meta:
fields = ['engine', 'min_level', 'file']
Expand All @@ -20,14 +28,19 @@ class Meta:
attrs={'class': 'form-control form-control-sm'},
choices=FINDING_SEVERITIES),
label='Minimum severity')
file = forms.FileField()
file = forms.FileField(widget=forms.FileInput(
attrs={'accept': 'text/xml,application/json'}),
validators=[validate_file_extension]
)


class FindingForm(forms.ModelForm):
class Meta:
model = Finding
fields = ['title', 'type', 'severity', 'status', 'description', 'tags',
'solution', 'risk_info', 'vuln_refs', 'links', 'comments', 'asset']
fields = [
'title', 'type', 'severity', 'status', 'description', 'tags',
'solution', 'risk_info', 'vuln_refs', 'links', 'comments', 'asset'
]
widgets = {
'description': forms.Textarea(
attrs={'class': 'form-control form-control-sm'}),
Expand Down

0 comments on commit 2287c97

Please sign in to comment.