From a9490b9f916acb25213000a6ccbb4dae045b2227 Mon Sep 17 00:00:00 2001 From: Beto Dealmeida Date: Tue, 25 Oct 2022 13:45:30 -0700 Subject: [PATCH] Address comments --- .../src/components/ImportModal/index.tsx | 2 +- superset/queries/saved_queries/api.py | 2 +- tests/unit_tests/databases/api_test.py | 34 +++++++++++++++++++ tests/unit_tests/importexport/api_test.py | 3 +- 4 files changed, 38 insertions(+), 3 deletions(-) diff --git a/superset-frontend/src/components/ImportModal/index.tsx b/superset-frontend/src/components/ImportModal/index.tsx index 6f913d4cd20f2..6a980f7d2013b 100644 --- a/superset-frontend/src/components/ImportModal/index.tsx +++ b/superset-frontend/src/components/ImportModal/index.tsx @@ -289,7 +289,7 @@ const ImportModelsModal: FunctionComponent = ({ name="modelFile" id="modelFile" data-test="model-file-input" - accept=".yaml,.json,.yml,.zip,.pdf" + accept=".yaml,.json,.yml,.zip" fileList={fileList} onChange={changeFile} onRemove={removeFile} diff --git a/superset/queries/saved_queries/api.py b/superset/queries/saved_queries/api.py index d9f8f79efedf0..52467a5c92d79 100644 --- a/superset/queries/saved_queries/api.py +++ b/superset/queries/saved_queries/api.py @@ -19,7 +19,7 @@ from datetime import datetime from io import BytesIO from typing import Any -from zipfile import ZipFile, is_zipfile +from zipfile import is_zipfile, ZipFile from flask import g, request, Response, send_file from flask_appbuilder.api import expose, protect, rison, safe diff --git a/tests/unit_tests/databases/api_test.py b/tests/unit_tests/databases/api_test.py index c0df8bb4d1bb7..d6f8897c4a090 100644 --- a/tests/unit_tests/databases/api_test.py +++ b/tests/unit_tests/databases/api_test.py @@ -18,6 +18,7 @@ # pylint: disable=unused-argument, import-outside-toplevel, line-too-long import json +from io import BytesIO from typing import Any from uuid import UUID @@ -157,3 +158,36 @@ def test_update_with_password_mask( database.encrypted_extra == '{"service_account_info": {"project_id": "yellow-unicorn-314419", "private_key": "SECRET"}}' ) + + +def test_non_zip_import(client: Any, full_api_access: None) -> None: + """ + Test that non-ZIP imports are not allowed. + """ + buf = BytesIO(b"definitely_not_a_zip_file") + form_data = { + "formData": (buf, "evil.pdf"), + } + response = client.post( + "/api/v1/database/import/", + data=form_data, + content_type="multipart/form-data", + ) + assert response.status_code == 422 + assert response.json == { + "errors": [ + { + "message": "Not a ZIP file", + "error_type": "GENERIC_COMMAND_ERROR", + "level": "warning", + "extra": { + "issue_codes": [ + { + "code": 1010, + "message": "Issue 1010 - Superset encountered an error while running a command.", + } + ] + }, + } + ] + } diff --git a/tests/unit_tests/importexport/api_test.py b/tests/unit_tests/importexport/api_test.py index 9c8c740255783..a65a682018eda 100644 --- a/tests/unit_tests/importexport/api_test.py +++ b/tests/unit_tests/importexport/api_test.py @@ -14,7 +14,8 @@ # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. -# pylint: disable=invalid-name, import-outside-toplevel + +# pylint: disable=invalid-name, import-outside-toplevel, unused-argument import json from io import BytesIO