Address comments

apache · Oct 26, 2022 · a9490b9 · a9490b9
1 parent 999c82a
commit a9490b9
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 3 deletions.
diff --git a/superset-frontend/src/components/ImportModal/index.tsx b/superset-frontend/src/components/ImportModal/index.tsx
@@ -289,7 +289,7 @@ const ImportModelsModal: FunctionComponent<ImportModelsModalProps> = ({
  name="modelFile"
  id="modelFile"
  data-test="model-file-input"
- accept=".yaml,.json,.yml,.zip,.pdf"
+ accept=".yaml,.json,.yml,.zip"
  fileList={fileList}
  onChange={changeFile}
  onRemove={removeFile}

diff --git a/superset/queries/saved_queries/api.py b/superset/queries/saved_queries/api.py
@@ -19,7 +19,7 @@
 from datetime import datetime
 from io import BytesIO
 from typing import Any
-from zipfile import ZipFile, is_zipfile
+from zipfile import is_zipfile, ZipFile
 
 from flask import g, request, Response, send_file
 from flask_appbuilder.api import expose, protect, rison, safe

diff --git a/tests/unit_tests/databases/api_test.py b/tests/unit_tests/databases/api_test.py
@@ -18,6 +18,7 @@
 # pylint: disable=unused-argument, import-outside-toplevel, line-too-long
 
 import json
+from io import BytesIO
 from typing import Any
 from uuid import UUID
 
@@ -157,3 +158,36 @@ def test_update_with_password_mask(
  database.encrypted_extra
  == '{"service_account_info": {"project_id": "yellow-unicorn-314419", "private_key": "SECRET"}}'
  )
+
+
+def test_non_zip_import(client: Any, full_api_access: None) -> None:
+ """
+ Test that non-ZIP imports are not allowed.
+ """
+ buf = BytesIO(b"definitely_not_a_zip_file")
+ form_data = {
+ "formData": (buf, "evil.pdf"),
+ }
+ response = client.post(
+ "/api/v1/database/import/",
+ data=form_data,
+ content_type="multipart/form-data",
+ )
+ assert response.status_code == 422
+ assert response.json == {
+ "errors": [
+ {
+ "message": "Not a ZIP file",
+ "error_type": "GENERIC_COMMAND_ERROR",
+ "level": "warning",
+ "extra": {
+ "issue_codes": [
+ {
+ "code": 1010,
+ "message": "Issue 1010 - Superset encountered an error while running a command.",
+ }
+ ]
+ },
+ }
+ ]
+ }
diff --git a/tests/unit_tests/importexport/api_test.py b/tests/unit_tests/importexport/api_test.py
@@ -14,7 +14,8 @@
 # KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations
 # under the License.
-# pylint: disable=invalid-name, import-outside-toplevel
+
+# pylint: disable=invalid-name, import-outside-toplevel, unused-argument
 
 import json
 from io import BytesIO