File upload improvements #2919
File upload improvements #2919
Conversation
BCerki
force-pushed
the
2123-remove-files-have-same-hash
branch
from
e775467 to
43cca7d
Compare
BCerki
force-pushed
the
2123-remove-files-have-same-hash
branch
from
38918a4 to
0bdf9cc
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| <ul className="m-0 py-0 flex flex-col justify-start"> | ||
| <li> | ||
| <Link | ||
| download={fileName} |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 days ago
To fix the problem, we need to ensure that the fileName is properly escaped before being rendered in the DOM. This can be achieved by using a library like he (HTML entities) to encode the file name, which will prevent any HTML or JavaScript from being executed.
- Import the
helibrary for encoding HTML entities. - Encode the
fileNamebefore rendering it in theLinkcomponent.
| @@ -6,2 +6,3 @@ | ||
| import Link from "next/link"; | ||
| import he from "he"; | ||
|
|
||
| @@ -99,3 +100,3 @@ | ||
| <Link | ||
| download={fileName} | ||
| download={he.encode(fileName)} | ||
| href={downloadUrl} | ||
| @@ -104,3 +105,3 @@ | ||
| > | ||
| {fileName} | ||
| {he.encode(fileName)} | ||
| </Link> |
| @@ -106,3 +106,4 @@ | ||
| "vite-require": "^0.2.3", | ||
| "vitest": "^3.0.5" | ||
| "vitest": "^3.0.5", | ||
| "he": "^1.2.0" | ||
| }, |
| Package | Version | Security advisories |
| he (npm) | 1.2.0 | None |
There was a problem hiding this comment.
CodeQL has raised an interesting point here. I'm looking into this more to see if it can actually be exploited.
| ) -> Tuple[Literal[200], Operation]: | ||
| payload = OperationNewEntrantApplicationInWithDocuments( | ||
| date_of_first_shipment=details.date_of_first_shipment, |
There was a problem hiding this comment.
Doing it like this instead of **details.dict() was to make mypy happy
| naics_code_id: Optional[int] = None | ||
| opt_in: Optional[bool] = False |
There was a problem hiding this comment.
These are optional and None so I'm not sure why I'm getting mypy errors
BCerki
force-pushed
the
2123-remove-files-have-same-hash
branch
3 times, most recently
from
9f2664b to
06b749b
Compare
BCerki
force-pushed
the
2123-remove-files-have-same-hash
branch
from
06b749b to
6a71ad4
Compare
There was a problem hiding this comment.
I wasn't able to get past the first step of the Registration workflow. Getting this error in the backend:
File "/Users/awilliam/Documents/cas-registration/bc_obps/service/document_service_v2.py", line 29, in create_or_replace_operation_document
existing_document = cls.get_operation_document_by_type_if_authorized(user_guid, operation_id, document_type)
^^^^^^^^^^^^
NameError: name 'operation_id' is not defined
---------------------------------------------ERROR END-------------------------------------------------
Bad Request: /api/registration/operations/df62d793-8cfe-4272-a93e-ea9c9139ff82/registration/operation
[11/Mar/2025 22:07:41] "PUT /api/registration/operations/df62d793-8cfe-4272-a93e-ea9c9139ff82/registration/operation HTTP/1.1" 400 49
| # Administration schemas | ||
|
|
||
|
|
||
| class OperationAdminstrationIn(OperationRegistrationIn): |
There was a problem hiding this comment.
| class OperationAdminstrationIn(OperationRegistrationIn): | |
| class OperationAdministrationIn(OperationRegistrationIn): |
| operation_representatives: List[int] | ||
|
|
||
|
|
||
| class OperationAdminstrationInWithDocuments(OperationRegistrationInWithDocuments): |
There was a problem hiding this comment.
| class OperationAdminstrationInWithDocuments(OperationRegistrationInWithDocuments): | |
| class OperationAdministrationInWithDocuments(OperationRegistrationInWithDocuments): |
| @router.get( | ||
| "/operations/{uuid:operation_id}/documents/{uuid:document_type}", | ||
| response={200: DocumentOut, custom_codes_4xx: Message}, | ||
| tags=OPERATOR_TAGS, |
There was a problem hiding this comment.
OPERATION_TAGS instead?
| description="""Retrieves a document""", | ||
| auth=authorize("approved_authorized_roles"), | ||
| ) | ||
| def get_operation_doucment( |
There was a problem hiding this comment.
| def get_operation_doucment( | |
| def get_operation_document( |
There was a problem hiding this comment.
I think this function name could be renamed to a more accurate descriptor - e.g., get_operation_document_by_type
| "/operations/{uuid:operation_id}/documents/{uuid:document_type}", | ||
| response={200: DocumentOut, custom_codes_4xx: Message}, | ||
| tags=OPERATOR_TAGS, | ||
| description="""Retrieves a document""", |
There was a problem hiding this comment.
| description="""Retrieves a document""", | |
| description="""Retrieves the most recent version of a document for the specified operation and document type.""", |
| """ | ||
| existing_document = cls.get_operation_document_by_type_if_authorized(user_guid, operation_id, document_type) | ||
| # if there is an existing document, check if the new one is different | ||
| existing_document = DocumentDataAccessService.get_operation_document_by_type(operation_id, type) |
There was a problem hiding this comment.
why did get_operation_document_by_type_if_authorized get replaced with this? We're no longer checking whether the user is authorized to access the document
| @@ -897,7 +904,7 @@ describe("the OperationInformationForm component", () => { | |||
| expect(screen.getByText(/Must not have fewer than 1 items/i)).toBeVisible(); | |||
| }); | |||
|
|
|||
| it( | |||
| it.only( | |||
There was a problem hiding this comment.
| it.only( | |
| it( |
| - DocumentServiceV2.create_or_replace_operation_document | ||
| - DocumentDataAccessServiceV2.create_document |
There was a problem hiding this comment.
| - DocumentServiceV2.create_or_replace_operation_document | |
| - DocumentDataAccessServiceV2.create_document | |
| - DocumentService.create_or_replace_operation_document | |
| - DocumentDataAccessService.create_document |
| // this removes the file keys if no new file has been uploaded | ||
| if ( | ||
| (key === "boundary_map" || | ||
| key === "process_flow_diagram" || | ||
| key === "new_entrant_application") && | ||
| typeof rjsfFormData[key] === "string" |
There was a problem hiding this comment.
please help this idiot understand - where does the check for "no new file has been uploaded" happen?
| <ul className="m-0 py-0 flex flex-col justify-start"> | ||
| <li> | ||
| <Link | ||
| download={fileName} |
There was a problem hiding this comment.
CodeQL has raised an interesting point here. I'm looking into this more to see if it can actually be exploited.
#2123
This PR