Fix Content-Type header bugs in file downloads and MIME type handling (#14124)

Fixes #14118

This commit fixes multiple bugs related to MIME type handling in file downloads:

1. Fixed tuple-as-string bug where mimetypes.guess_type() was used directly
   in f-strings, resulting in invalid Content-Type headers like
   "('image/png', None)" instead of "image/png"

2. Added fallback to "application/octet-stream" when MIME type cannot be
   determined (when guess_type returns None)

3. Fixed incorrect content type for JSON exports (was "json" instead of
   "application/json")

4. Fixed potential AttributeError crash in inline_image template tag when
   guess_type returns None and code attempted to call .startswith() on None

Files changed:
- dojo/api_v2/views.py: Risk acceptance file download (API endpoint)
- dojo/utils.py: Generic file response helper function
- dojo/finding/views.py: Finding image downloads and JSON template export
- dojo/engagement/views.py: Risk acceptance proof downloads
- dojo/templatetags/display_tags.py: Inline image template tag

All file downloads now properly set Content-Type headers with appropriate
fallbacks for unknown file types.

Author: valentijnscholten

dojo/api_v2/views.py

@@ -751,7 +751,7 @@ def download_proof(self, request, pk=None):
         # send file
         response = FileResponse(
             file_handle,
-            content_type=f"{mimetypes.guess_type(str(file_path))}",
+            content_type=mimetypes.guess_type(str(file_path))[0] or "application/octet-stream",
             status=status.HTTP_200_OK,
         )
         response["Content-Length"] = file_object.size

dojo/engagement/views.py

@@ -1568,7 +1568,7 @@ def download_risk_acceptance(request, eid, raid):
             (Path(settings.MEDIA_ROOT) / "risk_acceptance.path.name").open(mode="rb")))
     response["Content-Disposition"] = f'attachment; filename="{risk_acceptance.filename()}"'
     mimetype, _encoding = mimetypes.guess_type(risk_acceptance.path.name)
-    response["Content-Type"] = mimetype
+    response["Content-Type"] = mimetype or "application/octet-stream"
     return response
 
 

dojo/finding/views.py

@@ -2175,7 +2175,7 @@ def templates(request):
 @user_has_global_permission(Permissions.Finding_Edit)
 def export_templates_to_json(request):
     leads_as_json = serializers.serialize("json", Finding_Template.objects.all())
-    return HttpResponse(leads_as_json, content_type="json")
+    return HttpResponse(leads_as_json, content_type="application/json")
 
 
 def ensure_template_tags_in_finding_model(template):
@@ -2444,7 +2444,7 @@ class Original(ImageSpec):
         response = StreamingHttpResponse(FileIterWrapper(image))
         response["Content-Disposition"] = "inline"
         mimetype, _encoding = mimetypes.guess_type(file_name)
-        response["Content-Type"] = mimetype
+        response["Content-Type"] = mimetype or "application/octet-stream"
         return response
 
 

dojo/templatetags/display_tags.py

@@ -452,7 +452,7 @@ def inline_image(image_file):
     # TODO: This code might need better exception handling or data processing
     if img_types := mimetypes.guess_type(image_file.file.name):
         img_type = img_types[0]
-        if img_type.startswith("image/"):
+        if img_type and img_type.startswith("image/"):
             img_data = base64.b64encode(image_file.file.read())
             return f"data:{img_type};base64, {img_data.decode('utf-8')}"
     return ""

dojo/utils.py

@@ -2404,7 +2404,7 @@ def generate_file_response_from_file_path(
     response = FileResponse(
         path.open("rb"),
         filename=full_file_name,
-        content_type=f"{mimetypes.guess_type(file_path)}",
+        content_type=mimetypes.guess_type(file_path)[0] or "application/octet-stream",
     )
     # Add some important headers
     response["Content-Disposition"] = f'attachment; filename="{full_file_name}"'