Rework mime type white list

[Tschuppi81]

Org: Ensure mime type validator on file upload fields in form code

TYPE: Feature
LINK: ogc-2738

[linear]

OGC-2738 Arbitrary File Upload (Medium)

[codecov]

Codecov Report

❌ Patch coverage is 96.49123% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.26%. Comparing base (6574614) to head (44c347b).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/onegov/form/validators.py	93.54%	2 Missing ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
src/onegov/agency/forms/agency.py	97.26% <100.00%> (ø)
src/onegov/election_day/forms/election.py	98.14% <100.00%> (ø)
src/onegov/election_day/forms/election_compound.py	97.76% <100.00%> (ø)
src/onegov/election_day/forms/upload/common.py	100.00% <ø> (ø)
src/onegov/election_day/forms/vote.py	97.68% <100.00%> (ø)
src/onegov/form/fields.py	93.61% <100.00%> (+0.11%)	⬆️
src/onegov/form/widgets.py	85.46% <100.00%> (ø)
src/onegov/landsgemeinde/forms/agenda.py	47.66% <100.00%> (-0.27%)	⬇️
src/onegov/landsgemeinde/forms/assembly.py	94.91% <100.00%> (-0.09%)	⬇️
src/onegov/org/forms/event.py	91.88% <ø> (ø)
... and 10 more

... and 2 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6574614...44c347b. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Tschuppi81]

I saw that files types are handled differently for view_upload_file_by_json in handle_file_upload. Basically all file types are allowed. Shall we keep this?

[Tschuppi81]

Should I completely remove type application/octet-stream ? It is mostly used in conjunction with application/zip

[Daverball]

I saw that files types are handled differently for view_upload_file_by_json in handle_file_upload. Basically all file types are allowed. Shall we keep this?

We can make sure to set supported_content_types on GeneralFileCollection. That's the only one that would allow anything to be uploaded currently through those views.

[Daverball]

Looks good overall, but there's a couple of details we should iron out.

[Daverball]

Same thing here

[Daverball]

Should I completely remove type application/octet-stream ? It is mostly used in conjunction with application/zip

It's probably fine to remove it for now. There may however be the rare false positive for any files that cannot be identified correctly by libmagic. Generally pdfs, zips and any other binary file formats can end up as application/octet-stream, it's a generic catch-all content type for binary data if it couldn't be detected as anything else.

[Daverball]

Make sure this logic still holds up when field dependencies are in play, I have a feeling it does not, since it will wrap everything in a conditional validator, so you probably need to detect that case, so you don't add an unconditional and potentially redundant mimetype validator.

[Daverball]

It might be easier and more robust to store the mimetypes in an extra attribute and to override the post_validate hook, since validation_stopped is one of the parameters, which would be True if the dependency condition is unfulfilled.

So you can do something like the following in post_validate:

if not validation_stopped:
    WhitelistedMimeType(self.mimetypes)(form, self)

[Daverball]

Actually nevermind, this has the same problem, StrictOptional only stops validation if there is no data. Although technically there should be no data, when the field is hidden, so it might not matter in the end.

[Daverball]

I think it would still be a bit cleaner to move the validator into post_validate like in my code suggestion above, instead of trying to modify the given validator chain. If someone passes in a WhitelistValidator we can emit a warning or raise an exception to use the mimetypes parameter instead.

[Tschuppi81]

Now the Unsupported Media Type error is visible

[Daverball]

We're in a pretty good spot now. But we should clean up and refactor things a bit.

If mimetypes is an argument to upload fields, we no longer need to pass around instances of WhitelistedMimeType everywhere, we should use the new parameter and avoid inserting a validator object, instead let's rely on the post_validate method of Field, which we can override in UploadField (we don't need to override it in UploadMultipleField, but we should add an explicit mimetypes parameter, so we can easily access mimetypes from UploadMultipleField.mimetypes in addition to each subfield, this means this parameter should both be assigned to self.mimetypes and passed to the self.upload_field_class call.

[Daverball]

I think it would still be a bit cleaner to move the validator into post_validate like in my code suggestion above, instead of trying to modify the given validator chain. If someone passes in a WhitelistValidator we can emit a warning or raise an exception to use the mimetypes parameter instead.

[Daverball]

You're just looking for the validator in the wrong place in that test. The validator is on each field in the field list, not the field list itself. So I would get rid of this again and simplify the validators, otherwise the validator will run twice for each file. Once you move the validation from a validator in validators to post_validate you no longer will have to check for the presence of that validator anyways, since it's baked into the field itself.

[Daverball]

We can significantly simplify this when the whitelist is stored on the field (in fact you can probably get rid of this function and just replace it with the assertion):

Suggested change

	def assert_whitelisted_mimetype_validator(
	field: UploadField | UploadMultipleField
	) -> None:
	validator = find_validator(field, WhitelistedMimeType)
	assert validator
	assert validator.whitelist == WhitelistedMimeType.whitelist # type:ignore[attr-defined]
	def find_validator(
	field: Field | FileField,
	cls: type
	) -> Validator[Any, Any] | None:
	return next((v for v in field.validators if isinstance(v, cls)), None)
	def assert_whitelisted_mimetype_validator(
	field: UploadField | UploadMultipleField
	) -> None:
	assert field.whitelist == WhitelistedMimeType.whitelist

[Daverball]

Suggested change

	validator = find_validator(form['file'], WhitelistedMimeType)
	assert validator
	assert validator.whitelist == { # type:ignore[attr-defined]
	'application/msword', 'application/pdf'
	}
	assert form['file'].whitelist == { # type:ignore[attr-defined]
	'application/msword', 'application/pdf'
	}

[Daverball]

Suggested change

	validator = find_validator(form['file'], WhitelistedMimeType)
	assert validator
	assert validator.whitelist == WhitelistedMimeType.whitelist # type:ignore[attr-defined]
	assert form['file'].whitelist == WhitelistedMimeType.whitelist # type:ignore[attr-defined]

[Daverball]

Suggested change

	validator = find_validator(form['files'], WhitelistedMimeType)
	assert validator
	assert validator.whitelist == { # type:ignore[attr-defined]
	'application/msword', 'application/pdf'
	}
	assert form['files'].whitelist == { # type:ignore[attr-defined]
	'application/msword', 'application/pdf'
	}

[Daverball]

Suggested change

	validator = find_validator(form['my_files'], WhitelistedMimeType)
	assert validator
	assert validator.whitelist == WhitelistedMimeType.whitelist # type:ignore[attr-defined]
	assert form['my_files'].whitelist == WhitelistedMimeType.whitelist # type:ignore[attr-defined]