diff --git a/embark/reporter/urls.py b/embark/reporter/urls.py index 336a621b..c3e51b36 100644 --- a/embark/reporter/urls.py +++ b/embark/reporter/urls.py @@ -11,9 +11,9 @@ # view routing urlpatterns = [ # TODO get rid of the emba log paths - path(settings.EMBA_LOG_URL + '/emba_logs/html-report/', views.html_report, name='embark-html-report-index'), - path(settings.EMBA_LOG_URL + '/emba_logs/html-report/style/', views.html_report_resource, name='embark-html-report-resource'), - path(settings.EMBA_LOG_URL + '/emba_logs/html-report//', views.html_report_path, name='embark-html-report-path'), + path(settings.EMBA_LOG_URL + '/', views.html_report, name='embark-html-report-index'), + path(settings.EMBA_LOG_URL + '/style/', views.html_report_resource, name='embark-html-report-resource'), + path(settings.EMBA_LOG_URL + '//', views.html_report_path, name='embark-html-report-path'), path('get_load/', views.get_load, name='embark-get-load'), path('get_individual_report//', views.get_individual_report, name='embark-get-individual-report'), path('get_accumulated_reports/', views.get_accumulated_reports, name='embark-get-accumulated-reports'), diff --git a/embark/reporter/views.py b/embark/reporter/views.py index 4e963c9d..4cefd82a 100644 --- a/embark/reporter/views.py +++ b/embark/reporter/views.py @@ -48,17 +48,21 @@ def reports(request): @require_http_methods(["GET"]) @login_required(login_url='/' + settings.LOGIN_URL) def html_report(request, analysis_id, html_file): + """ + Let's the user request any html in the html-report + Checks: valid filename + TODO test traversal + """ # make sure the html file is valid html_file_pattern = re.compile(r'^[\w,\s-]+\.html$') - if html_file.endswith('.html') and bool(re.match(html_file_pattern, html_file)): - report_path = Path(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_file}') - if FirmwareAnalysis.objects.filter(id=analysis_id).exists(): - analysis = FirmwareAnalysis.objects.get(id=analysis_id) - if analysis.hidden is False or analysis.user == request.user or request.user.is_superuser: - html_body = get_template(report_path) - logger.debug("html_report - analysis_id: %s html_file: %s", analysis_id, html_file) - return HttpResponse(html_body.render({'embarkBackUrl': reverse('embark-ReportDashboard')})) - messages.error(request, "User not authorized") + report_path = Path(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_file}') + if FirmwareAnalysis.objects.filter(id=analysis_id).exists() and bool(re.match(html_file_pattern, html_file)): + analysis = FirmwareAnalysis.objects.get(id=analysis_id) + if analysis.hidden is False or analysis.user == request.user or request.user.is_superuser: + html_body = get_template(report_path) + logger.debug("html_report - analysis_id: %s html_file: %s", analysis_id, html_file) + return HttpResponse(html_body.render({'embarkBackUrl': reverse('embark-ReportDashboard')})) + messages.error(request, "User not authorized") logger.error("could not get template - %s", request) return redirect("..") @@ -67,9 +71,12 @@ def html_report(request, analysis_id, html_file): @login_required(login_url='/' + settings.LOGIN_URL) def html_report_path(request, analysis_id, html_path, file): """ - The functions needs to either server html files or provide download + The functions needs to either serve html files or provide download of files in the subdirs + Checks: valid filename, path.resolved in correct parent """ - if FirmwareAnalysis.objects.filter(id=analysis_id).exists(): + # make sure the html file is valid + file_pattern = re.compile(r'^[\w,\s-]+\.+(tar.gz|html)$') + if FirmwareAnalysis.objects.filter(id=analysis_id).exists() and bool(re.match(file_pattern, file)): analysis = FirmwareAnalysis.objects.get(id=analysis_id) if analysis.hidden is False or analysis.user == request.user or request.user.is_superuser: resource_path = f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_path}/{file}' @@ -122,6 +129,10 @@ def html_report_path(request, analysis_id, html_path, file): @require_http_methods(["GET"]) @login_required(login_url='/' + settings.LOGIN_URL) def html_report_resource(request, analysis_id, img_file): + """ + Serves all resource files needed by the report + Chcks: filename validity + """ # make sure the html file is valid img_file_pattern = re.compile(r'^[\w,\s-]+\.+(css|svg|png)$') if bool(re.match(img_file_pattern, img_file)):