Merge branch 'develop' into release-2.2

aether-odk-module/aether/odk/api/utils.py

@@ -0,0 +1,16 @@
+_whitespace = ' '
+
+_ascii_lowercase = 'abcdefghijklmnopqrstuvwxyz'
+_ascii_uppercase = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+_ascii_letters = _ascii_lowercase + _ascii_uppercase
+
+_digits = '0123456789'
+_alphanumeric = _digits + _ascii_letters
+
+_punctuation = "'!#$%&()+,-.;=@[]^_`{}~"
+
+_allowed = _whitespace + _alphanumeric + _punctuation
+
+
+def sanitize_filename(value):
+    return ''.join([c if c in _allowed else '_' for c in value])

aether-odk-module/aether/odk/api/views.py

@@ -42,6 +42,7 @@
     KernelPropagationError,
 )
 from .surveyors_utils import get_surveyors, is_surveyor
+from .utils import sanitize_filename
 
 
 class IsAuthenticatedAndNotSurveyor(IsAuthenticated):
@@ -99,12 +100,12 @@ def download(self, request, pk=None, *args, **kwargs):
         project = self.get_object_or_404(pk=pk)
 
         with tempfile.TemporaryDirectory() as temp_dir:
-            zip_name = f'{project.name or project.project_id}.zip'
+            zip_name = sanitize_filename(f'{project.name or project.project_id}.zip')
             zip_path = f'{temp_dir}/{zip_name}'
 
             with zipfile.ZipFile(zip_path, 'w') as file_zip:
                 for xform in project.xforms.all():
-                    xml_name = f'{xform.title}.xml'
+                    xml_name = sanitize_filename(f'{xform.title}.xml')
                     file_zip.writestr(xml_name, xform.xml_data)
 
             return get_file_content(zip_name, zip_path, as_attachment=True)
@@ -170,7 +171,7 @@ def download(self, request, pk=None, *args, **kwargs):
         response = FileResponse(
             streaming_content=xform.xml_data,
             as_attachment=True,
-            filename=f'{xform.title}.xml',
+            filename=sanitize_filename(f'{xform.title}.xml'),
             content_type='text/xml',
         )
         response['Access-Control-Expose-Headers'] = 'Content-Disposition'