Merge pull request #1070 from AIDI-solar/import_from_file_system

Added possibility to import file from system.
2021-10-11 13:54:56 -04:00 · 2021-10-11 13:54:56 -04:00 · 54ee8f898d
commit 54ee8f898d
--- a/app/models/task.py
+++ b/app/models/task.py
@ -12,14 +12,14 @@ import piexif
 import re

 import zipfile
-
+from shutil import copyfile
 import requests
 from PIL import Image
 from django.contrib.gis.gdal import GDALRaster
 from django.contrib.gis.gdal import OGRGeometry
 from django.contrib.gis.geos import GEOSGeometry
 from django.contrib.postgres import fields
-from django.core.exceptions import ValidationError
+from django.core.exceptions import ValidationError, SuspiciousFileOperation
 from django.db import models
 from django.db import transaction
 from django.db import connection
@ -31,6 +31,7 @@ from django.contrib.gis.db.models.fields import GeometryField

 from app.cogeo import assure_cogeo
 from app.testwatch import testWatch
+from app.api.common import path_traversal_check
 from nodeodm import status_codes
 from nodeodm.models import ProcessingNode
 from pyodm.exceptions import NodeResponseError, NodeConnectionError, NodeServerError, OdmError
@ -462,8 +463,21 @@ class Task(models.Model):
        self.save()

        zip_path = self.assets_path("all.zip")
-
+        # Import assets file from mounted system volume (media-dir)/imports by relative path.
+        # Import file from relative path.
        if self.import_url and not os.path.exists(zip_path):
+            if self.import_url.startswith("file://"):
+                imports_folder_path = os.path.join(settings.MEDIA_ROOT, "imports")
+                unsafe_path_to_import_file = os.path.join(settings.MEDIA_ROOT, "imports", self.import_url.replace("file://", ""))
+                # check is file placed in shared media folder in /imports directory without traversing
+                try:
+                    checked_path_to_file = path_traversal_check(unsafe_path_to_import_file, imports_folder_path)
+                    if os.path.isfile(checked_path_to_file):
+                        copyfile(checked_path_to_file, zip_path)
+                except SuspiciousFileOperation as e:
+                    logger.error("Error due importing assets from {} for {} in cause of path checking error".format(self.import_url, self))
+                    raise NodeServerError(e)
+            else:
                try:
                    # TODO: this is potentially vulnerable to a zip bomb attack
                    #       mitigated by the fact that a valid account is needed to