Support for whitelisted file extensions (#12891)

* Support for whitelisted file extensions

* Centralize logic

Author: Maffooch

dojo/api_v2/serializers.py

@@ -124,7 +124,7 @@
 )
 from dojo.user.utils import get_configuration_permissions_codenames
 from dojo.utils import is_scan_file_too_large
-from dojo.validators import tag_validator
+from dojo.validators import ImporterFileExtensionValidator, tag_validator
 
 logger = logging.getLogger(__name__)
 deduplicationLogger = logging.getLogger("dojo.specific-loggers.deduplication")
@@ -2090,7 +2090,11 @@ class CommonImportScanSerializer(serializers.Serializer):
         default=None,
         help_text="Enter the ID of an Endpoint that is associated with the target Product. New Findings will be added to that Endpoint.",
     )
-    file = serializers.FileField(allow_empty_file=True, required=False)
+    file = serializers.FileField(
+        allow_empty_file=True,
+        required=False,
+        validators=[ImporterFileExtensionValidator()],
+    )
     product_type_name = serializers.CharField(required=False)
     product_name = serializers.CharField(required=False)
     engagement_name = serializers.CharField(required=False)

dojo/forms.py

@@ -112,7 +112,7 @@
     is_finding_groups_enabled,
     is_scan_file_too_large,
 )
-from dojo.validators import tag_validator
+from dojo.validators import ImporterFileExtensionValidator, tag_validator
 from dojo.widgets import TableCheckboxWidget
 
 logger = logging.getLogger(__name__)
@@ -525,11 +525,15 @@ class ImportScanForm(forms.Form):
     source_code_management_uri = forms.URLField(max_length=600, required=False, help_text="Resource link to source code")
     tags = TagField(required=False, help_text="Add tags that help describe this scan.  "
                     "Choose from the list or add new tags. Press Enter key to add.")
-    file = forms.FileField(widget=forms.widgets.FileInput(
-        attrs={"accept": ".xml, .csv, .nessus, .json, .jsonl, .html, .js, .zip, .xlsx, .txt, .sarif"}),
+    file = forms.FileField(
+        widget=forms.widgets.FileInput(
+            attrs={"accept": ".xml, .csv, .nessus, .json, .jsonl, .html, .js, .zip, .xlsx, .txt, .sarif"},
+        ),
         label="Choose report file",
         allow_empty_file=True,
-        required=False)
+        required=False,
+        validators=[ImporterFileExtensionValidator()],
+    )
 
     # Close Old Findings has changed. The default is engagement only, and it requires a second flag to expand to the product scope.
     # Exposing the choice as two different check boxes.
@@ -646,11 +650,15 @@ class ReImportScanForm(forms.Form):
     endpoints = forms.ModelMultipleChoiceField(Endpoint.objects, required=False, label="Systems / Endpoints")
     tags = TagField(required=False, help_text="Modify existing tags that help describe this scan.  "
                     "Choose from the list or add new tags. Press Enter key to add.")
-    file = forms.FileField(widget=forms.widgets.FileInput(
-        attrs={"accept": ".xml, .csv, .nessus, .json, .jsonl, .html, .js, .zip, .xlsx, .txt, .sarif"}),
+    file = forms.FileField(
+        widget=forms.widgets.FileInput(
+            attrs={"accept": ".xml, .csv, .nessus, .json, .jsonl, .html, .js, .zip, .xlsx, .txt, .sarif"},
+        ),
         label="Choose report file",
         allow_empty_file=True,
-        required=False)
+        required=False,
+        validators=[ImporterFileExtensionValidator()],
+    )
     close_old_findings = forms.BooleanField(help_text="Select if old findings in the same test that are no longer present in the report get closed as mitigated when importing.",
                                             required=False, initial=True)
     version = forms.CharField(max_length=100, required=False, help_text="Version that will be set on existing Test object. Leave empty to leave existing value in place.")

dojo/validators.py

@@ -5,6 +5,7 @@
 import cvss.parser
 from cvss import CVSS2, CVSS3, CVSS4
 from django.core.exceptions import ValidationError
+from django.core.validators import FileExtensionValidator
 
 logger = logging.getLogger(__name__)
 
@@ -72,3 +73,12 @@ def cvss3_validator(value: str | list[str], exception_class: Callable = Validati
     # to avoid 'NoneType' errors during severity processing later.
     msg = "No valid CVSS vectors found by cvss.parse_cvss_from_text()"
     raise exception_class(msg)
+
+
+class ImporterFileExtensionValidator(FileExtensionValidator):
+    default_allowed_extensions = ["xml", "csv", "nessus", "json", "jsonl", "html", "js", "zip", "xlsx", "txt", "sarif"]
+
+    def __init__(self, *args: list, **kwargs: dict):
+        if "allowed_extensions" not in kwargs:
+            kwargs["allowed_extensions"] = self.default_allowed_extensions
+        super().__init__(*args, **kwargs)