This adds additional front and backend validations for task order file
names. We are now restricting file names to a whitelist regex of
[A-Za-z0-9\-_ \.] for simplicity.
Note:
On the frontend, the filename string must have at least one character.
This is not true in the backend validation; because of the way the
entire task order form is validated, requiring input would break the
business logic currently implemented.
This addresses an SSTI vulnerability in Flask's `render_template_string`
function, which we were using for rendering flash messages. The
implementation I'd built was too complicated, so I removed its reliance
on Jinja template rendering. Instead, all parts of the flash message
should be keys in the translations file. The `flash` wrapper in
`atst.utils.flash` is just a thin wrapper over our `translate` function.
The `translate` function relies on Python string formatting, which does
not evaluate expressions and so isn't vulnerable to SSTI.
Update TaskOrderForm so that it converts empty string for number into None, this was causing an issue where new TOs were being saved with an empty string for the number, which violated the unique constraint.
New designs call for a streamlined New Portfolio page, with far
fewer input options. This commit refactors that page according to those
designs.
Some of the route functions in this commit refer to a "step 1" of creating
a new Portfolio. Though there is no "step 2" right now, the designs call
for a multistep flow for Portfolio creation process, so this commit sets
the stage for that.
In order to more easily sort JEDI Clins for the obligated funds section,
the JEDI CLIN enum values were used in the output dict instead of their
verbose labels. And in order to bring the labels in line with designs,
the JEDI CLIN labels were DRYed up in the translations file, which
required making small changes in a few other places across the project.
This commit lays out the genral structure and provides necessary
data for the new reporting page designs.
Some of the data generated by the report domain classes (including
the mock CSP reporting class) was modified to fit new designs. This also
included removing data that was no longer necessary. Part of the newly
mocked data includes the idea of "expended" data per CLIN or task order.
This was was mocked simply by using a 75% of the obligated funds fo a
given object. Tests were also written for these new/ modifed reporting
functions.
As for the front end, this commit only focuses on the high-level markup
layout. This includes splitting the large reporting index page into
smaller component templates for each of the major sections of the report.
