fix: LEAP-192: Check avatar file extension (#4818)

* fix: LEAP-192: Check avatar file extension * Add comment * Fix filename --------- Co-authored-by: MihajloHoma <MihajloHoma@users.noreply.github.com>
HumanSignal · Oct 9, 2023 · feb2275 · feb2275
1 parent bc75c00
commit feb2275
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 8 deletions.
diff --git a/label_studio/users/functions.py b/label_studio/users/functions.py
@@ -1,5 +1,6 @@
 """This file and its contents are licensed under the Apache License 2.0. Please see the included NOTICE for copyright information and LICENSE for a copy of the license.
 """
+import os
 import uuid
 from time import time
 
@@ -23,7 +24,7 @@ def check_avatar(files):
     if not images:
         return None
 
-    filename, avatar = list(files.items())[0]  # get first file
+    _, avatar = list(files.items())[0]  # get first file
     w, h = get_image_dimensions(avatar)
     if not w or not h:
         raise forms.ValidationError("Can't read image, try another one")
@@ -33,9 +34,17 @@ def check_avatar(files):
     if w > max_width or h > max_height:
         raise forms.ValidationError('Please use an image that is %s x %s pixels or smaller.' % (max_width, max_height))
 
+    valid_extensions = ['jpeg', 'jpg', 'gif', 'png']
+
+    filename = avatar.name
+    # check file extension
+    ext = os.path.splitext(filename)[1].lstrip('.').lower()
+    if ext not in valid_extensions:
+        raise forms.ValidationError('Please upload a valid image file with extensions: JPEG, JPG, GIF, or PNG.')
+
     # validate content type
     main, sub = avatar.content_type.split('/')
-    if not (main == 'image' and sub.lower() in ['jpeg', 'jpg', 'gif', 'png']):
+    if not (main == 'image' and sub.lower() in valid_extensions):
         raise forms.ValidationError('Please use a JPEG, GIF or PNG image.')
 
     # validate file size

diff --git a/label_studio/users/urls.py b/label_studio/users/urls.py
@@ -19,14 +19,20 @@
     path('user/signup/', views.user_signup, name='user-signup'),
     path('user/account/', views.user_account, name='user-account'),
     url(r'^logout/?$', views.logout, name='logout'),
-    # avatars
-    re_path(
-        r'^data/' + settings.AVATAR_PATH + '/(?P<path>.*)$',
-        serve,
-        kwargs={'document_root': join(settings.MEDIA_ROOT, settings.AVATAR_PATH)},
-    ),
     # Token
     path('api/current-user/reset-token/', api.UserResetTokenAPI.as_view(), name='current-user-reset-token'),
     path('api/current-user/token', api.UserGetTokenAPI.as_view(), name='current-user-token'),
     path('api/current-user/whoami', api.UserWhoAmIAPI.as_view(), name='current-user-whoami'),
 ]
+
+# When CLOUD_FILE_STORAGE_ENABLED is set, avatars are uploaded to cloud storage with a different URL pattern.
+# This local serving pattern is unnecessary for environments with cloud storage enabled.
+if not settings.CLOUD_FILE_STORAGE_ENABLED:
+    urlpatterns += [
+        # avatars
+        re_path(
+            r'^data/' + settings.AVATAR_PATH + '/(?P<path>.*)$',
+            serve,
+            kwargs={'document_root': join(settings.MEDIA_ROOT, settings.AVATAR_PATH)},
+        ),
+    ]