From 73d0b44ac73d3bfea9da3a61c3be62f0a610efdc Mon Sep 17 00:00:00 2001 From: BenediktMKuehne Date: Mon, 17 Jun 2024 13:56:39 +0000 Subject: [PATCH 1/5] fix resource file download from inside emba_log --- embark/reporter/views.py | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/embark/reporter/views.py b/embark/reporter/views.py index 2f984670..d5baa34b 100644 --- a/embark/reporter/views.py +++ b/embark/reporter/views.py @@ -93,23 +93,23 @@ def html_report_path(request, analysis_id, html_path, html_file): @require_http_methods(["GET"]) @login_required(login_url='/' + settings.LOGIN_URL) -def html_report_download(request, analysis_id, html_path, download_file): # TODO Needed for EMBA? +def html_report_download(request, analysis_id, html_path, download_file): response = Http404("Resource not found") if FirmwareAnalysis.objects.filter(id=analysis_id).exists(): analysis = FirmwareAnalysis.objects.get(id=analysis_id) if analysis.hidden is False or analysis.user == request.user or request.user.is_superuser: - base_path = f"{settings.EMBA_LOG_ROOT}" - if request.path.startswith('/'): - file_path = request.path[1:] - else: - file_path = request.path[2:] - full_path = os.path.normpath(os.path.join(base_path, file_path)) - if full_path.startswith(base_path): - with open(full_path, 'rb') as requested_file: - response = HttpResponse(requested_file.read(), content_type="text/plain") - response['Content-Disposition'] = 'attachment; filename=' + os.path.basename(full_path) - logger.info("html_report - analysis_id: %s html_path: %s download_file: %s", analysis_id, html_path, - download_file) + resource_path = Path(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_path}/{download_file}') + if Path(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/') in resource_path.parents: + try: + with open(resource_path, 'rb') as requested_file: + response = HttpResponse(requested_file.read(), content_type="text/plain") + response['Content-Disposition'] = 'attachment; filename=' + download_file + logger.info("html_report - analysis_id: %s html_path: %s download_file: %s", analysis_id, html_path, + download_file) + except FileNotFoundError: + messages.error(request, "File not found on the server") + logger.error("Couldn't find %s", resource_path) + response = HttpResponse("Couldn't find %s", resource_path) return response From 79c3d67643b7e4344231c2bdb68ab3567de20f9d Mon Sep 17 00:00:00 2001 From: BenediktMKuehne Date: Tue, 18 Jun 2024 12:55:09 +0000 Subject: [PATCH 2/5] fix reporter file-download --- embark/reporter/views.py | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/embark/reporter/views.py b/embark/reporter/views.py index d5baa34b..f39d53ac 100644 --- a/embark/reporter/views.py +++ b/embark/reporter/views.py @@ -99,17 +99,16 @@ def html_report_download(request, analysis_id, html_path, download_file): analysis = FirmwareAnalysis.objects.get(id=analysis_id) if analysis.hidden is False or analysis.user == request.user or request.user.is_superuser: resource_path = Path(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_path}/{download_file}') - if Path(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/') in resource_path.parents: - try: - with open(resource_path, 'rb') as requested_file: - response = HttpResponse(requested_file.read(), content_type="text/plain") - response['Content-Disposition'] = 'attachment; filename=' + download_file - logger.info("html_report - analysis_id: %s html_path: %s download_file: %s", analysis_id, html_path, - download_file) - except FileNotFoundError: - messages.error(request, "File not found on the server") - logger.error("Couldn't find %s", resource_path) - response = HttpResponse("Couldn't find %s", resource_path) + try: + with open(resource_path, 'rb') as requested_file: + response = HttpResponse(requested_file.read(), content_type="text/plain") + response['Content-Disposition'] = 'attachment; filename=' + download_file + logger.info("html_report - analysis_id: %s html_path: %s download_file: %s", analysis_id, html_path, + download_file) + except FileNotFoundError: + messages.error(request, "File not found on the server") + logger.error("Couldn't find %s", resource_path) + response = HttpResponse("Couldn't find %s", resource_path) return response From 2e25e710eb8469f40e78ca4f3ba233ec1a8ec3f0 Mon Sep 17 00:00:00 2001 From: BenediktMKuehne Date: Thu, 20 Jun 2024 08:44:26 +0000 Subject: [PATCH 3/5] fix depricated version tag --- docker-compose.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 13a5ec8d..d97176c7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,3 @@ ---- -version: "3" -# https://docs.docker.com/compose/compose-file/compose-file-v3/#deploy services: embark_db: From 66f396dcec95287fa7b1745d9d2b52aee73552c1 Mon Sep 17 00:00:00 2001 From: Benedikt Kuehne <62940240+BenediktMKuehne@users.noreply.github.com> Date: Thu, 20 Jun 2024 12:11:31 +0200 Subject: [PATCH 4/5] add doc start --- docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yml b/docker-compose.yml index d97176c7..e6b69815 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,3 +1,4 @@ +--- services: embark_db: From 355a4668082e5e7400a80a86090dc68b31a40398 Mon Sep 17 00:00:00 2001 From: BenediktMKuehne Date: Thu, 20 Jun 2024 10:12:17 +0000 Subject: [PATCH 5/5] add resolve and check to pathing --- embark/reporter/views.py | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/embark/reporter/views.py b/embark/reporter/views.py index f39d53ac..ec9b0ac3 100644 --- a/embark/reporter/views.py +++ b/embark/reporter/views.py @@ -98,17 +98,19 @@ def html_report_download(request, analysis_id, html_path, download_file): if FirmwareAnalysis.objects.filter(id=analysis_id).exists(): analysis = FirmwareAnalysis.objects.get(id=analysis_id) if analysis.hidden is False or analysis.user == request.user or request.user.is_superuser: - resource_path = Path(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_path}/{download_file}') - try: - with open(resource_path, 'rb') as requested_file: - response = HttpResponse(requested_file.read(), content_type="text/plain") - response['Content-Disposition'] = 'attachment; filename=' + download_file - logger.info("html_report - analysis_id: %s html_path: %s download_file: %s", analysis_id, html_path, - download_file) - except FileNotFoundError: - messages.error(request, "File not found on the server") - logger.error("Couldn't find %s", resource_path) - response = HttpResponse("Couldn't find %s", resource_path) + resource_path = os.path.abspath(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_path}/{download_file}') + parent_path = os.path.abspath(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/') + if os.path.commonpath([parent_path, resource_path]) == parent_path: + try: + with open(resource_path, 'rb') as requested_file: + response = HttpResponse(requested_file.read(), content_type="text/plain") + response['Content-Disposition'] = 'attachment; filename=' + download_file + logger.info("html_report - analysis_id: %s html_path: %s download_file: %s", analysis_id, html_path, + download_file) + except FileNotFoundError: + messages.error(request, "File not found on the server") + logger.error("Couldn't find %s", resource_path) + response = HttpResponse("Couldn't find %s", resource_path) return response