zip files before download in file broswer

needs to be completly rewritten in the future but for now this is more secure
2026-01-04 05:39:00 -05:00 · 2022-07-04 14:39:53 +02:00
parent d9d0676bed
commit 690c486bb2
5 changed files with 255 additions and 70 deletions
--- a/cookbook/views/api.py
+++ b/cookbook/views/api.py
@@ -5,6 +5,7 @@ import re
 import traceback
 import uuid
 from collections import OrderedDict
+from zipfile import ZipFile

 import requests
 import validators
@@ -1216,6 +1217,31 @@ def switch_active_space(request, space_id):
        return Response({}, status=status.HTTP_400_BAD_REQUEST)


+@api_view(['GET'])
+# @schema(AutoSchema()) #TODO add proper schema
+@permission_classes([CustomIsUser])
+def download_file(request, file_id):
+    """
+    function to download a user file securely (wrapping as zip to prevent any context based XSS problems)
+    temporary solution until a real file manager is implemented
+    """
+    try:
+        uf = UserFile.objects.get(space=request.space, pk=file_id)
+
+        in_memory = io.BytesIO()
+        zf = ZipFile(in_memory, mode="w")
+        zf.writestr(uf.file.name, uf.file.file.read())
+        zf.close()
+
+        response = HttpResponse(in_memory.getvalue(), content_type='application/force-download')
+        response['Content-Disposition'] = 'attachment; filename="' + uf.name + '.zip"'
+        return response
+
+    except Exception as e:
+        traceback.print_exc()
+        return Response({}, status=status.HTTP_400_BAD_REQUEST)
+
+
 def get_recipe_provider(recipe):
    if recipe.storage.method == Storage.DROPBOX:
        return Dropbox