Skip to content

Commit

Permalink
Merge pull request #3919 from freedomofpress/reply-basename
Browse files Browse the repository at this point in the history 
only save basename of filename for a reply on API requests
  • Loading branch information
@redshiftzero
redshiftzero committed Nov 2, 2018
2 parents ee20953 + a812b22 commit 71aa8d7
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 6 deletions.
14 changes: 8 additions & 6 deletions securedrop/journalist_app/api.py
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
from datetime import datetime, timedelta
from functools import wraps
import json
from werkzeug.exceptions import default_exceptions # type: ignore

from datetime import datetime, timedelta
from flask import abort, Blueprint, current_app, jsonify, request
from functools import wraps
from os import path
from werkzeug.exceptions import default_exceptions # type: ignore

from db import db
from journalist_app import utils
Expand Down Expand Up @@ -238,9 +239,10 @@ def all_source_replies(source_uuid):
return jsonify(
{'message': 'You must encrypt replies client side'}), 400

reply = Reply(user, source,
current_app.storage.path(source.filesystem_id,
filename))
# issue #3918
filename = path.basename(filename)

reply = Reply(user, source, filename)
db.session.add(reply)
db.session.add(source)
db.session.commit()
Expand Down
3 changes: 3 additions & 0 deletions securedrop/tests/test_journalist_api.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -653,6 +653,9 @@ def test_authorized_user_can_add_reply(journalist_app, journalist_api_token,
assert reply.journalist_id == test_journo['id']
assert reply.source_id == source_id

# regression test for #3918
assert '/' not in reply.filename

source = Source.query.get(source_id)

expected_filename = '{}-{}-reply.gpg'.format(
Expand Down

0 comments on commit 71aa8d7

Please sign in to comment.