def post_attachment(self, workspace_name, vuln_id):
try:
validate_csrf(request.form.get('csrf_token'))
except wtforms.ValidationError:
flask.abort(403)
vuln_workspace_check = db.session.query(
VulnerabilityGeneric, Workspace.id).join(Workspace).filter(
VulnerabilityGeneric.id == vuln_id,
Workspace.name == workspace_name).first()
if vuln_workspace_check:
if 'file' not in request.files:
flask.abort(400)
faraday_file = FaradayUploadedFile(request.files['file'].read())
filename = request.files['file'].filename
get_or_create(db.session,
File,
object_id=vuln_id,
object_type='vulnerability',
name=filename,
filename=filename,
content=faraday_file)
db.session.commit()
return flask.jsonify({'message': 'Evidence upload was successful'})
else:
flask.abort(404, "Vulnerability not found")
def test_image_is_detected_correctly():
with open(TEST_DATA_PATH / 'faraday.png', "rb") as image_data:
field = FaradayUploadedFile(image_data.read())
assert field['content_type'] == 'image/png'
assert 'thumb_id' in field.keys()
assert 'thumb_path' in field.keys()
assert len(field['files']) == 2
def test_image_is_detected_correctly():
with open(os.path.join(CURRENT_PATH, 'data', 'faraday.png'),
"rb") as image_data:
field = FaradayUploadedFile(image_data.read())
assert field['content_type'] == 'image/png'
assert 'thumb_id' in field.keys()
assert 'thumb_path' in field.keys()
assert len(field['files']) == 2
def post_attachment(self, workspace_name, vuln_id):
"""
---
post:
tags: ["Vulnerability", "File"]
description: Creates a new attachment in the vuln
responses:
201:
description: Created
tags: ["Vulnerability", "File"]
responses:
200:
description: Ok
"""
vuln_workspace_check = db.session.query(
VulnerabilityGeneric, Workspace.id).join(Workspace).filter(
VulnerabilityGeneric.id == vuln_id,
Workspace.name == workspace_name).first()
if vuln_workspace_check:
if 'file' not in request.files:
flask.abort(400)
vuln = VulnerabilitySchema().dump(vuln_workspace_check[0])
filename = request.files['file'].filename
_attachments = vuln['_attachments']
if filename in _attachments:
message = 'Evidence already exists in vuln'
return make_response(
flask.jsonify(message=message, success=False, code=400),
400)
else:
faraday_file = FaradayUploadedFile(
request.files['file'].read())
instance, created = get_or_create(db.session,
File,
object_id=vuln_id,
object_type='vulnerability',
name=filename,
filename=filename,
content=faraday_file)
db.session.commit()
message = 'Evidence upload was successful'
return flask.jsonify({'message': message})
else:
flask.abort(404, "Vulnerability not found")
def _process_attachments(self, obj, attachments):
old_attachments = db.session.query(File).filter_by(
object_id=obj.id,
object_type='vulnerability',
)
for old_attachment in old_attachments:
db.session.delete(old_attachment)
for filename, attachment in attachments.items():
faraday_file = FaradayUploadedFile(b64decode(attachment['data']))
get_or_create(
db.session,
File,
object_id=obj.id,
object_type='vulnerability',
name=os.path.splitext(os.path.basename(filename))[0],
filename=os.path.basename(filename),
content=faraday_file,
)
def _process_attachments(self, obj, attachments):
old_attachments = db.session.query(File).options(
joinedload(File.creator), joinedload(File.update_user)).filter_by(
object_id=obj.id,
object_type='vulnerability',
)
for old_attachment in old_attachments:
db.session.delete(old_attachment)
for filename, attachment in attachments.items():
faraday_file = FaradayUploadedFile(b64decode(attachment['data']))
get_or_create(
db.session,
File,
object_id=obj.id,
object_type='vulnerability',
name=Path(filename).stem,
filename=Path(filename).name,
content=faraday_file,
)
def test_normal_attach_is_not_detected_as_image():
with open(TEST_DATA_PATH / 'report_w3af.xml', "rb") as image_data:
field = FaradayUploadedFile(image_data.read())
assert field['content_type'] == 'application/octet-stream'
assert len(field['files']) == 1
def test_html_content_type_is_not_html():
with open(TEST_DATA_PATH / 'test.html', "rb") as image_data:
field = FaradayUploadedFile(image_data.read())
assert field['content_type'] == 'application/octet-stream'
assert len(field['files']) == 1
def test_normal_attach_is_not_detected_as_image():
with open(os.path.join(CURRENT_PATH, 'data', 'report_w3af.xml'),
"rb") as image_data:
field = FaradayUploadedFile(image_data.read())
assert field['content_type'] == 'application/octet-stream'
assert len(field['files']) == 1
def test_html_content_type_is_not_html():
with open(os.path.join(CURRENT_PATH, 'data', 'test.html'),
"rb") as image_data:
field = FaradayUploadedFile(image_data.read())
assert field['content_type'] == 'application/octet-stream'
assert len(field['files']) == 1