Additional validation and escaping for file names.

This adds additional front and backend validations for task order file names. We are now restricting file names to a whitelist regex of [A-Za-z0-9\-_ \.] for simplicity. Note: On the frontend, the filename string must have at least one character. This is not true in the backend validation; because of the way the entire task order form is validated, requiring input would break the business logic currently implemented.
2020-01-12 11:33:33 -05:00
parent 05bc8c3819
commit 5213657b0f
7 changed files with 35 additions and 5 deletions
--- a/atst/forms/task_order.py
+++ b/atst/forms/task_order.py
@@ -7,7 +7,7 @@ from wtforms.fields import (
    HiddenField,
 )
 from wtforms.fields.html5 import DateField
-from wtforms.validators import Required, Length, NumberRange, ValidationError
+from wtforms.validators import Required, Length, NumberRange, ValidationError, Regexp
 from flask_wtf import FlaskForm
 from numbers import Number

@@ -15,6 +15,7 @@ from .data import JEDI_CLIN_TYPES
 from .fields import SelectField
 from .forms import BaseForm, remove_empty_string
 from atst.utils.localization import translate
+from .validators import REGEX_ALPHA_NUMERIC
 from flask import current_app as app

 MAX_CLIN_AMOUNT = 1000000000
@@ -116,7 +117,10 @@ class AttachmentForm(BaseForm):
    filename = HiddenField(
        id="attachment_filename",
        validators=[
-            Length(max=100, message=translate("forms.attachment.filename.length_error"))
+            Length(
+                max=100, message=translate("forms.attachment.filename.length_error")
+            ),
+            Regexp(regex=REGEX_ALPHA_NUMERIC),
        ],
    )
    object_name = HiddenField(
@@ -124,7 +128,8 @@ class AttachmentForm(BaseForm):
        validators=[
            Length(
                max=40, message=translate("forms.attachment.object_name.length_error")
-            )
+            ),
+            Regexp(regex=REGEX_ALPHA_NUMERIC),
        ],
    )
    accept = ".pdf,application/pdf"
--- a/atst/forms/validators.py
+++ b/atst/forms/validators.py
@@ -8,6 +8,9 @@ import pendulum
 from atst.utils.localization import translate


+REGEX_ALPHA_NUMERIC = "^[A-Za-z0-9\-_ \.]*$"
+
+
 def DateRange(lower_bound=None, upper_bound=None, message=None):
    def _date_range(form, field):
        if field.data is None: