Skip to content

Update API endpoint for file upload #6712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 19, 2022
Merged

Update API endpoint for file upload #6712

merged 1 commit into from
Aug 19, 2022

Conversation

Maffooch
Copy link
Contributor

Per the discussion around #6564, I had forgotten to update the URL returned by the API to actually download the file from the server. Previously, the response returned the URL directly that is not permission controlled. As of #6564, the ability to download files from the direct location is totally blocked, so downloading the file is not actually possible.

In this PR, the access controlled URL is returned instead

Before:
image

After:
image

@github-actions github-actions bot added the apiv2 label Aug 15, 2022
@dzmitry-savitski
Copy link

I believe this PR will just fix the URL. But it's still not possible to retrieve file content using API. There's no such API endpoint. And the "access_file/***" endpoint won't accept API token.

mtesauro
mtesauro approved these changes Aug 16, 2022
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro
Copy link
Contributor

@Maffooch I'm good with merging this (as is Damien) - wanted to give you a chance to see the comment above.

If you're good with it, feel free to merge it since it has the necessary 2 approvals.

@damiencarol
Copy link
Contributor

@Maffooch @mtesauro better to create another PR to improve it.

@Maffooch
Copy link
Contributor Author

Maybe a new PR would be better. The only think left to do would be to create an API endpoint to download a file object directly. It would likely involve 2 API calls to download a file (1 to get the file id from a given object, and the second tom download the file) so the solution is not graceful.

Overall better then having all files totally unrestricted though

@dzmitry-savitski
Copy link

The only thing I wanted to bring up is the current situation. With this security update, there's no way to download files programmatically anymore. I have to run my scripts in manual mode (passing the session cookie) until the new API endpoint is created.

@Maffooch Maffooch merged commit 4e62baf into DefectDojo:dev Aug 19, 2022
@Maffooch Maffooch deleted the file branch August 19, 2022 14:30
shipko pushed a commit to shipko/django-DefectDojo that referenced this pull request Sep 5, 2022
@Maffooch
Update API endpoint for file upload (DefectDojo#6712)
34c2adc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@damiencarol damiencarol damiencarol approved these changes

@mtesauro mtesauro mtesauro approved these changes

Assignees
No one assigned
Labels
apiv2 bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Maffooch @dzmitry-savitski @mtesauro @damiencarol