From ee7cdbeb78103c1c632ca04db03aaf6182022822 Mon Sep 17 00:00:00 2001
From: BenediktMKuehne <bennimail.4spam@gmail.com>
Date: Tue, 9 Jul 2024 05:16:55 +0000
Subject: [PATCH] shorten urls

---
 embark/reporter/urls.py  |  6 +++---
 embark/reporter/views.py | 33 ++++++++++++++++++++++-----------
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/embark/reporter/urls.py b/embark/reporter/urls.py
index 336a621b..c3e51b36 100644
--- a/embark/reporter/urls.py
+++ b/embark/reporter/urls.py
@@ -11,9 +11,9 @@
 # view routing
 urlpatterns = [
     # TODO get rid of the emba log paths
-    path(settings.EMBA_LOG_URL + '<uuid:analysis_id>/emba_logs/html-report/<str:html_file>', views.html_report, name='embark-html-report-index'),
-    path(settings.EMBA_LOG_URL + '<uuid:analysis_id>/emba_logs/html-report/style/<str:img_file>', views.html_report_resource, name='embark-html-report-resource'),
-    path(settings.EMBA_LOG_URL + '<uuid:analysis_id>/emba_logs/html-report/<path:html_path>/<str:file>', views.html_report_path, name='embark-html-report-path'),
+    path(settings.EMBA_LOG_URL + '<uuid:analysis_id>/<str:html_file>', views.html_report, name='embark-html-report-index'),
+    path(settings.EMBA_LOG_URL + '<uuid:analysis_id>/style/<str:img_file>', views.html_report_resource, name='embark-html-report-resource'),
+    path(settings.EMBA_LOG_URL + '<uuid:analysis_id>/<path:html_path>/<str:file>', views.html_report_path, name='embark-html-report-path'),
     path('get_load/', views.get_load, name='embark-get-load'),
     path('get_individual_report/<uuid:analysis_id>/', views.get_individual_report, name='embark-get-individual-report'),
     path('get_accumulated_reports/', views.get_accumulated_reports, name='embark-get-accumulated-reports'),
diff --git a/embark/reporter/views.py b/embark/reporter/views.py
index 4e963c9d..4cefd82a 100644
--- a/embark/reporter/views.py
+++ b/embark/reporter/views.py
@@ -48,17 +48,21 @@ def reports(request):
 @require_http_methods(["GET"])
 @login_required(login_url='/' + settings.LOGIN_URL)
 def html_report(request, analysis_id, html_file):
+    """
+    Let's the user request any html in the html-report
+    Checks: valid filename
+    TODO test traversal
+    """
     # make sure the html file is valid
     html_file_pattern = re.compile(r'^[\w,\s-]+\.html$')
-    if html_file.endswith('.html') and bool(re.match(html_file_pattern, html_file)):
-        report_path = Path(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_file}')
-        if FirmwareAnalysis.objects.filter(id=analysis_id).exists():
-            analysis = FirmwareAnalysis.objects.get(id=analysis_id)
-            if analysis.hidden is False or analysis.user == request.user or request.user.is_superuser:
-                html_body = get_template(report_path)
-                logger.debug("html_report - analysis_id: %s html_file: %s", analysis_id, html_file)
-                return HttpResponse(html_body.render({'embarkBackUrl': reverse('embark-ReportDashboard')}))
-            messages.error(request, "User not authorized")
+    report_path = Path(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_file}')
+    if FirmwareAnalysis.objects.filter(id=analysis_id).exists() and bool(re.match(html_file_pattern, html_file)):
+        analysis = FirmwareAnalysis.objects.get(id=analysis_id)
+        if analysis.hidden is False or analysis.user == request.user or request.user.is_superuser:
+            html_body = get_template(report_path)
+            logger.debug("html_report - analysis_id: %s html_file: %s", analysis_id, html_file)
+            return HttpResponse(html_body.render({'embarkBackUrl': reverse('embark-ReportDashboard')}))
+        messages.error(request, "User not authorized")
     logger.error("could  not get template - %s", request)
     return redirect("..")
 
@@ -67,9 +71,12 @@ def html_report(request, analysis_id, html_file):
 @login_required(login_url='/' + settings.LOGIN_URL)
 def html_report_path(request, analysis_id, html_path, file):
     """
-    The functions needs to either server html files or provide download
+    The functions needs to either serve html files or provide download of files in the subdirs
+    Checks: valid filename, path.resolved in correct parent
     """
-    if FirmwareAnalysis.objects.filter(id=analysis_id).exists():
+    # make sure the html file is valid
+    file_pattern = re.compile(r'^[\w,\s-]+\.+(tar.gz|html)$')
+    if FirmwareAnalysis.objects.filter(id=analysis_id).exists() and bool(re.match(file_pattern, file)):
         analysis = FirmwareAnalysis.objects.get(id=analysis_id)
         if analysis.hidden is False or analysis.user == request.user or request.user.is_superuser:
             resource_path = f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_path}/{file}'
@@ -122,6 +129,10 @@ def html_report_path(request, analysis_id, html_path, file):
 @require_http_methods(["GET"])
 @login_required(login_url='/' + settings.LOGIN_URL)
 def html_report_resource(request, analysis_id, img_file):
+    """
+    Serves all resource files needed by the report
+    Chcks: filename validity
+    """
     # make sure the html file is valid
     img_file_pattern = re.compile(r'^[\w,\s-]+\.+(css|svg|png)$')
     if bool(re.match(img_file_pattern, img_file)):