From b7a64860edf2f3addda93208f88781239eb56c7b Mon Sep 17 00:00:00 2001 From: Bobby Novak <176936850+rnovak338@users.noreply.github.com> Date: Mon, 25 Nov 2024 11:52:23 -0500 Subject: [PATCH 1/2] Validate redirect URLs --- backend/report_submission/views.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/backend/report_submission/views.py b/backend/report_submission/views.py index 7126e2c379..c70da5c4ef 100644 --- a/backend/report_submission/views.py +++ b/backend/report_submission/views.py @@ -120,7 +120,9 @@ def post(self, request): report_id = result.get("report_id") if report_id: - return redirect(f"/report_submission/general-information/{report_id}") + return Util.validate_redirect_url( + redirect(f"/report_submission/general-information/{report_id}") + ) else: return render( request, "report_submission/step-3.html", context=result, status=400 @@ -233,7 +235,9 @@ def post(self, request, *args, **kwargs): event_type=SubmissionEvent.EventType.GENERAL_INFORMATION_UPDATED, ) - return redirect(f"/audit/submission-progress/{report_id}") + return Util.validate_redirect_url( + redirect(f"/audit/submission-progress/{report_id}") + ) except SingleAuditChecklist.DoesNotExist as err: raise PermissionDenied("You do not have access to this audit.") from err except ValidationError as err: @@ -493,8 +497,10 @@ def post(self, request, *args, **kwargs): report_id = kwargs["report_id"] try: - return redirect( - "/audit/submission-progress/{report_id}".format(report_id=report_id) + return Util.validate_redirect_url( + redirect( + "/audit/submission-progress/{report_id}".format(report_id=report_id) + ) ) except Exception as e: From 1657df1b3b66f82e2ac5be7ec3fc344d9dd5b0d5 Mon Sep 17 00:00:00 2001 From: Bobby Novak <176936850+rnovak338@users.noreply.github.com> Date: Mon, 25 Nov 2024 12:12:36 -0500 Subject: [PATCH 2/2] django-test fix --- backend/report_submission/views.py | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/backend/report_submission/views.py b/backend/report_submission/views.py index c70da5c4ef..9a74ac1f32 100644 --- a/backend/report_submission/views.py +++ b/backend/report_submission/views.py @@ -121,7 +121,7 @@ def post(self, request): if report_id: return Util.validate_redirect_url( - redirect(f"/report_submission/general-information/{report_id}") + f"/report_submission/general-information/{report_id}" ) else: return render( @@ -235,9 +235,7 @@ def post(self, request, *args, **kwargs): event_type=SubmissionEvent.EventType.GENERAL_INFORMATION_UPDATED, ) - return Util.validate_redirect_url( - redirect(f"/audit/submission-progress/{report_id}") - ) + return Util.validate_redirect_url(f"/audit/submission-progress/{report_id}") except SingleAuditChecklist.DoesNotExist as err: raise PermissionDenied("You do not have access to this audit.") from err except ValidationError as err: @@ -498,9 +496,7 @@ def post(self, request, *args, **kwargs): try: return Util.validate_redirect_url( - redirect( - "/audit/submission-progress/{report_id}".format(report_id=report_id) - ) + "/audit/submission-progress/{report_id}".format(report_id=report_id) ) except Exception as e: