Commit 1396570f authored by Tanner Prestegard's avatar Tanner Prestegard Committed by GraceDB

More restrictive filename/version requirements in API file retrieval

Prevents server errors from being generated when the filename is
"bad" and when the user specifies a non-integer version. This is
for superevent files; event files are handled separately, although
this should be unified at some point.
parent 55675362
...@@ -16,7 +16,7 @@ from rest_framework.views import APIView ...@@ -16,7 +16,7 @@ from rest_framework.views import APIView
from core.file_utils import get_file_list from core.file_utils import get_file_list
from core.http import check_and_serve_file from core.http import check_and_serve_file
from core.vfile import VersionedFile from core.vfile import VersionedFile, FileVersionError, FileVersionNameError
from events.models import Event, Label from events.models import Event, Label
from events.view_utils import reverse as gracedb_reverse from events.view_utils import reverse as gracedb_reverse
from superevents.buildVOEvent import VOEventBuilderException from superevents.buildVOEvent import VOEventBuilderException
...@@ -275,7 +275,17 @@ class SupereventFileViewSet(InheritDefaultPermissionsMixin, ...@@ -275,7 +275,17 @@ class SupereventFileViewSet(InheritDefaultPermissionsMixin,
full_filename = self.kwargs.get(self.lookup_url_kwarg) full_filename = self.kwargs.get(self.lookup_url_kwarg)
# Try to split into name,version (for log lookup) # Try to split into name,version (for log lookup)
filename, version = Log.split_versioned_filename(full_filename) try:
filename, version = Log.split_versioned_filename(full_filename)
except FileVersionError as e:
# Bad version specifier
return Response('File not found, version string should be an int',
status=status.HTTP_404_NOT_FOUND)
except FileVersionNameError as e:
# File name doesn't match versioning scheme (likely has a comma
# in it that isn't part of the versioning scheme)
return Response(('Invalid filename: filename should not contain '
'commas'), status=status.HTTP_400_BAD_REQUEST)
# Get logs which are viewable by the current user and # Get logs which are viewable by the current user and
# have files attached # have files attached
......
...@@ -13,6 +13,17 @@ import logging ...@@ -13,6 +13,17 @@ import logging
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
class FileVersionError(Exception):
# Problem with file version (likely not an int)
pass
class FileVersionNameError(Exception):
# Problem with filename (likely has an extra comma somewhere in the
# filename)
pass
class VersionedFile(file): class VersionedFile(file):
""" """
Open a versioned file. Open a versioned file.
...@@ -149,13 +160,19 @@ class VersionedFile(file): ...@@ -149,13 +160,19 @@ class VersionedFile(file):
if len(result) == 2: if len(result) == 2:
filename = result[0] filename = result[0]
version = result[1] version = result[1]
# Version is a string here, try to convert it to an int
try:
version = int(version)
except ValueError as e:
raise FileVersionError('Bad version specifier')
elif len(result) == 1: elif len(result) == 1:
filename = result[0] filename = result[0]
version = None version = None
else: else:
err = 'Filename {0} does not match versioning scheme'.format( err = 'Filename {0} does not match versioning scheme'.format(
versioned_name) versioned_name)
raise ValueError(err) raise FileVersionNameError(err)
return filename, version return filename, version
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment