Check that uploaded images are actually images

2025-07-10 03:49:24 +00:00 · 2025-04-08 17:21:30 +02:00
parent 13f417ba30
commit 376af35bfb
5 changed files with 59 additions and 13 deletions
--- a/sas/api.py
+++ b/sas/api.py
@ -2,7 +2,7 @@ from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.db.models import F
 from django.urls import reverse
-from ninja import Body, Query, UploadedFile
+from ninja import Body, File, Query
 from ninja.errors import HttpError
 from ninja_extra import ControllerBase, api_controller, paginate, route
 from ninja_extra.exceptions import NotFound, PermissionDenied
@ -19,6 +19,7 @@ from core.auth.api_permissions import (
    IsRoot,
 )
 from core.models import Notification, User
+from core.schemas import UploadedImage
 from sas.models import Album, PeoplePictureRelation, Picture
 from sas.schemas import (
    AlbumAutocompleteSchema,
@ -106,7 +107,7 @@ class PicturesController(ControllerBase):
        response={200: None, 409: dict[str, list[str]]},
        url_name="upload_picture",
    )
-    def upload_picture(self, album_id: Body[int], picture: UploadedFile):
+    def upload_picture(self, album_id: Body[int], picture: File[UploadedImage]):
        album = self.get_object_or_exception(Album, pk=album_id)
        user = self.context.request.user
        self_moderate = user.has_perm("sas.moderate_sasfile")
--- a/sas/tests/test_api.py
+++ b/sas/tests/test_api.py
@ -266,3 +266,23 @@ def test_upload_picture(client: Client):
    assert picture.file.name == "SAS/test album/img.png"
    assert picture.compressed.name == ".compressed/SAS/test album/img.webp"
    assert picture.thumbnail.name == ".thumbnails/SAS/test album/img.webp"
+
+
+@pytest.mark.django_db
+def test_upload_invalid_picture(client: Client):
+    sas = SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)
+    album = baker.make(Album, is_in_sas=True, parent=sas, name="test album")
+    user = baker.make(User, is_superuser=True)
+    client.force_login(user)
+    file = SimpleUploadedFile(
+        name="file.txt",
+        content=b"azerty",
+        content_type="image/png",  # the server shouldn't blindly trust the content_type
+    )
+    res = client.post(
+        reverse("api:upload_picture"), {"album_id": album.id, "picture": file}
+    )
+    assert res.status_code == 422
+    assert res.json()["detail"][0]["ctx"]["error"] == (
+        "Ce fichier n'est pas une image valide"
+    )