Skip to content

Commit a258f04

Browse files
committed
[ADD] Added DS fields check on DS file addition
1 parent 52ca730 commit a258f04

File tree

1 file changed

+19
-17
lines changed

1 file changed

+19
-17
lines changed

source/app/blueprints/datastore/datastore_routes.py

Lines changed: 19 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,15 @@
6262

6363
logger = app.logger
6464

65+
ALLOWED_FIELDS_DS_FILE = [
66+
'file_original_name',
67+
'file_description',
68+
'file_is_ioc',
69+
'file_is_evidence',
70+
'file_password',
71+
'file_tags',
72+
'file_parent_id'
73+
]
6574

6675
@datastore_blueprint.route('/datastore/list/tree', methods=['GET'])
6776
@ac_api_case_requires(CaseAccessLevel.read_only, CaseAccessLevel.full_access)
@@ -203,15 +212,11 @@ def datastore_update_file(cur_id: int, caseid: int):
203212
dsf_schema = DSFileSchema()
204213
try:
205214
# Ensure the form only contains fields that are allowed to be updated
206-
# Allowed fields: file_original_name, file_description, file_is_ioc, file_is_evidence, file_password
207-
form_data = {
208-
'file_original_name': request.form.get('file_original_name'),
209-
'file_description': request.form.get('file_description'),
210-
'file_password': request.form.get('file_password'),
211-
'file_is_ioc': request.form.get('file_is_ioc'),
212-
'file_is_evidence': request.form.get('file_is_evidence'),
213-
'file_parent_id': request.form.get('file_parent_id')
214-
}
215+
# Remove the fields that are not allowed to be updated
216+
form_data = request.form.to_dict()
217+
for key in list(form_data.keys()):
218+
if key not in ALLOWED_FIELDS_DS_FILE:
219+
form_data.pop(key)
215220
dsf_sc = dsf_schema.load(form_data, instance=dsf, partial=True)
216221
add_obj_history_entry(dsf_sc, 'updated')
217222

@@ -333,15 +338,12 @@ def datastore_add_file(cur_id: int, caseid: int):
333338
dsf_schema = DSFileSchema()
334339
try:
335340

336-
file_data = {
337-
'file_original_name': request.form.get('file_original_name'),
338-
'file_description': request.form.get('file_description'),
339-
'file_password': request.form.get('file_password'),
340-
'file_is_ioc': request.form.get('file_is_ioc') is not None or request.form.get('file_is_ioc') is True,
341-
'file_is_evidence': request.form.get('file_is_evidence') is not None or request.form.get('file_is_evidence') is True
342-
}
341+
form_data = request.form.to_dict()
342+
for key in list(form_data.keys()):
343+
if key not in ALLOWED_FIELDS_DS_FILE:
344+
form_data.pop(key)
343345

344-
dsf_sc = dsf_schema.load(file_data, partial=True)
346+
dsf_sc = dsf_schema.load(form_data, partial=True)
345347

346348
dsf_sc.file_parent_id = dsp.path_id
347349
dsf_sc.added_by_user_id = current_user.id

0 commit comments

Comments
 (0)