Minor refactoring, fixes

2021-11-04 14:31:43 -04:00 · 2021-11-04 14:31:43 -04:00 · c5fc89f61a
commit c5fc89f61a
--- a/app/api/common.py
+++ b/app/api/common.py
@ -1,6 +1,7 @@
-from django.core.exceptions import ObjectDoesNotExist, SuspiciousFileOperation
+from django.core.exceptions import ObjectDoesNotExist
 from rest_framework import exceptions
 import os
+import re

 from app import models

@ -32,16 +33,6 @@ def get_and_check_project(request, project_pk, perms=('view_project',)):
    return project


-def path_traversal_check(unsafe_path, known_safe_path):
-    known_safe_path = os.path.abspath(known_safe_path)
-    unsafe_path = os.path.abspath(unsafe_path)
-
-    if (os.path.commonprefix([known_safe_path, unsafe_path]) != known_safe_path):
-        raise SuspiciousFileOperation("{} is not safe".format(unsafe_path))
-
-    # Passes the check
-    return unsafe_path
-
 def hex2rgb(hex_color, with_alpha=False):
    """
    Adapted from https://stackoverflow.com/questions/29643352/converting-hex-to-rgb-value-in-python/29643643
@ -61,4 +52,7 @@ def hex2rgb(hex_color, with_alpha=False):
        if with_alpha:
            return tuple((255, 255, 255, 255))
        else:
-            return tuple((255, 255, 255))
+            return tuple((255, 255, 255))
+
+def get_asset_download_filename(task, asset):
+    return re.sub(r'[^0-9a-zA-Z-_]+', '', task.name.replace(" ", "-").replace("/", "-")) + "-" + asset
--- a/app/api/tasks.py
+++ b/app/api/tasks.py
@ -19,7 +19,7 @@ from app import models, pending_actions
 from nodeodm import status_codes
 from nodeodm.models import ProcessingNode
 from worker import tasks as worker_tasks
-from .common import get_and_check_project
+from .common import get_and_check_project, get_asset_download_filename
 from app.security import path_traversal_check
 from django.utils.translation import gettext_lazy as _

@ -370,10 +370,12 @@ class TaskDownloads(TaskNestedView):
        if not is_zipstream and not os.path.isfile(asset_fs):
            raise exceptions.NotFound(_("Asset does not exist"))
        
+        download_filename = request.GET.get('filename', get_asset_download_filename(task, asset))
+
        if not is_zipstream:
-            return download_file_response(request, asset_fs, 'attachment', download_filename=request.GET.get('filename'))
+            return download_file_response(request, asset_fs, 'attachment', download_filename=download_filename)
        else:
-            return download_file_stream(request, asset_fs, 'attachment', download_filename=request.GET.get('filename', asset))
+            return download_file_stream(request, asset_fs, 'attachment', download_filename=download_filename)

 """
 Raw access to the task's asset folder resources
--- a/app/api/tiler.py
+++ b/app/api/tiler.py
@ -6,7 +6,7 @@ from rasterio.crs import CRS
 from rasterio.features import bounds as featureBounds
 import urllib
 import os
-import re
+from .common import get_asset_download_filename
 from django.http import HttpResponse
 from rio_tiler.errors import TileOutsideBounds
 from rio_tiler.utils import has_alpha_band, \
@ -544,7 +544,7 @@ class Export(TaskNestedView):
        # Strip unsafe chars, append suffix
        extension = extension_for_export_format(export_format)
        filename = "{}{}.{}".format(
-                        re.sub(r'[^0-9a-zA-Z-_]+', '', task.name.replace(" ", "-").replace("/", "-")) + "-" + asset_type,
+                        get_asset_download_filename(task, asset_type),
                        "-{}".format(formula) if expr is not None else "",
                        extension
                    )
--- a/app/models/task.py
+++ b/app/models/task.py
@ -33,7 +33,7 @@ from django.contrib.gis.db.models.fields import GeometryField

 from app.cogeo import assure_cogeo
 from app.testwatch import testWatch
-from app.api.common import path_traversal_check
+from app.security import path_traversal_check
 from nodeodm import status_codes
 from nodeodm.models import ProcessingNode
 from pyodm.exceptions import NodeResponseError, NodeConnectionError, NodeServerError, OdmError
--- a/app/static/app/js/components/EditPresetDialog.jsx
+++ b/app/static/app/js/components/EditPresetDialog.jsx
@ -11,6 +11,9 @@ if (!Object.values) {
    values.shim();
 }

+// Do not apply to WebODM, can cause confusion
+const OPTS_BLACKLIST = ['orthophoto-png', 'orthophoto-kmz', 'pc-las', 'pc-ply', 'pc-csv', 'pc-ept', 'cog'];
+
 class EditPresetDialog extends React.Component {
    static defaultProps = {
    };
@ -129,7 +132,7 @@ class EditPresetDialog extends React.Component {
                  : ""}
                  <div className="row">
                    <div className="col-sm-12">
-                    {options.filter(option => this.state.showSearch && this.state.search !== "" ? 
+                    {options.filter(option => OPTS_BLACKLIST.indexOf(option.name.toLowerCase()) === -1).filter(option => this.state.showSearch && this.state.search !== "" ? 
                                                option.name.toLowerCase().indexOf(this.state.search.toLowerCase()) !== -1 :
                                                true)
                            .map(option =>