From d17b16f5ae55eaed7f10e76ed065aa1cea06bede Mon Sep 17 00:00:00 2001
From: robinvandermolen <robin@maykinmedia.nl>
Date: Thu, 19 Dec 2024 14:09:10 +0100
Subject: [PATCH] :bug: [#4795] Invert validation for .msg files

The SDK cannot reliably determine which content type belongs to a .msg
file, most notably on Linux and MacOS because the extension is not in
the mime type database. This manifests as a file being uploaded with empty
content-type.

To allow these files to go through, the serializer must allow empty
values for the 'type' field which contains the detected content type,
and the backend must perform additional processing to determine the file
type. We can do this by falling back to the generic case of 'binary
file' (application/octet-stream) content type, and let libmagic figure
out which extensions belong to the magic bytes, i.e. we look at the
magic bytes to figure out what kind of file was provided, and we check
the provided file extensions against the list of valid extensions for
the detected file type.

Backport-of: #4961
---
 .../conf/locale/nl/LC_MESSAGES/django.po      |   2 +-
 src/openforms/formio/api/validators.py        |  41 +++++++++++-------
 src/openforms/formio/components/vanilla.py    |   9 +---
 src/openforms/formio/tests/files/test.msg     | Bin 0 -> 11264 bytes
 src/openforms/formio/tests/test_validators.py |  34 +++++++++++++++
 .../formio/tests/validation/test_file.py      |   4 +-
 .../tests/e2e/test_input_validation.py        |  10 ++---
 7 files changed, 69 insertions(+), 31 deletions(-)
 create mode 100644 src/openforms/formio/tests/files/test.msg

diff --git a/src/openforms/conf/locale/nl/LC_MESSAGES/django.po b/src/openforms/conf/locale/nl/LC_MESSAGES/django.po
index ee945803f5..50aab26f15 100644
--- a/src/openforms/conf/locale/nl/LC_MESSAGES/django.po
+++ b/src/openforms/conf/locale/nl/LC_MESSAGES/django.po
@@ -4591,7 +4591,7 @@ msgid ""
 "extension."
 msgstr ""
 "Het bestandstype kon niet bepaald worden. Controleer of de bestandsnaam met "
-"een extensie eindigt (bijvoorbeel '.pdf' of '.png')."
+"een extensie eindigt (bijvoorbeeld '.pdf' of '.png')."
 
 #: openforms/formio/components/vanilla.py:332
 #, python-brace-format
diff --git a/src/openforms/formio/api/validators.py b/src/openforms/formio/api/validators.py
index 34dcd5aa13..af072a4d13 100644
--- a/src/openforms/formio/api/validators.py
+++ b/src/openforms/formio/api/validators.py
@@ -1,4 +1,5 @@
 import logging
+from pathlib import Path
 from typing import Iterable
 
 from django.core.files.uploadedfile import UploadedFile
@@ -56,29 +57,40 @@ def __init__(self, allowed_mime_types: Iterable[str] | None = None):
 
     def __call__(self, value: UploadedFile) -> None:
         head = value.read(2048)
-        ext = value.name.split(".")[-1]
-        mime_type = magic.from_buffer(head, mime=True)
+        ext = Path(value.name or "").suffix[1:]
+        detected_mime_type = magic.from_buffer(head, mime=True)
+        provided_mime_type = value.content_type or "application/octet-stream"
 
         # gh #2520
         # application/x-ole-storage on Arch with shared-mime-info 2.0+155+gf4e7cbc-1
-        if mime_type in ["application/CDFV2", "application/x-ole-storage"]:
+        if detected_mime_type in ["application/CDFV2", "application/x-ole-storage"]:
             whole_file = head + value.read()
-            mime_type = magic.from_buffer(whole_file, mime=True)
+            detected_mime_type = magic.from_buffer(whole_file, mime=True)
 
-        if mime_type == "image/heif":
-            mime_type = "image/heic"
+        if detected_mime_type == "image/heif":
+            detected_mime_type = "image/heic"
 
         if not (
             self.any_allowed
-            or mimetype_allowed(mime_type, self._regular_mimes, self._wildcard_mimes)
+            or mimetype_allowed(
+                detected_mime_type, self._regular_mimes, self._wildcard_mimes
+            )
         ):
             raise serializers.ValidationError(
                 _("The provided file is not a valid file type.")
             )
 
+        if not ext:
+            raise serializers.ValidationError(
+                _(
+                    "Could not determine the file type. Please make sure the file name "
+                    "has an extension."
+                )
+            )
+
         # Contents is allowed. Do extension or submitted content_type agree?
-        if value.content_type == "application/octet-stream":
-            m = magic.Magic(extension=True)
+        if provided_mime_type == "application/octet-stream":
+            m = magic.Magic(extension=True)  # pyright: ignore[reportCallIssue]
             extensions = m.from_buffer(head).split("/")
             # magic db doesn't know any more specific extension(s), so accept the
             # file
@@ -101,27 +113,26 @@ def __call__(self, value: UploadedFile) -> None:
         # If the file does not strictly follow the conventions of CSV (e.g. non-standard delimiters),
         # may not be considered as a valid CSV.
         elif (
-            value.content_type == "text/csv"
-            and mime_type == "text/plain"
+            provided_mime_type == "text/csv"
+            and detected_mime_type == "text/plain"
             and ext == "csv"
         ):
             return
-        elif mime_type == "image/heic" and value.content_type in (
+        elif detected_mime_type == "image/heic" and provided_mime_type in (
             "image/heic",
             "image/heif",
         ):
             return
-
         # gh #4658
         # Windows use application/x-zip-compressed as a mimetype for .zip files, which
         # is deprecated but still we need to support it. Instead, the common case for
         # zip files is application/zip or application/zip-compressed mimetype.
-        elif mime_type == "application/zip" and value.content_type in (
+        elif detected_mime_type == "application/zip" and provided_mime_type in (
             "application/zip-compressed",
             "application/x-zip-compressed",
         ):
             return
-        elif mime_type != value.content_type:
+        elif provided_mime_type != detected_mime_type:
             raise serializers.ValidationError(
                 _("The provided file is not a {file_type}.").format(
                     filename=value.name, file_type=f".{ext}"
diff --git a/src/openforms/formio/components/vanilla.py b/src/openforms/formio/components/vanilla.py
index 43d9e10be5..2d9dd1e9d4 100644
--- a/src/openforms/formio/components/vanilla.py
+++ b/src/openforms/formio/components/vanilla.py
@@ -311,14 +311,7 @@ class FileSerializer(serializers.Serializer):
     originalName = serializers.CharField(trim_whitespace=False)
     size = serializers.IntegerField(min_value=0)
     storage = serializers.ChoiceField(choices=["url"])
-    type = serializers.CharField(
-        error_messages={
-            "blank": _(
-                "Could not determine the file type. Please make sure the file name "
-                "has an extension."
-            ),
-        }
-    )
+    type = serializers.CharField(required=True, allow_blank=True)
     url = serializers.URLField()
     data = FileDataSerializer()  # type: ignore
 
diff --git a/src/openforms/formio/tests/files/test.msg b/src/openforms/formio/tests/files/test.msg
new file mode 100644
index 0000000000000000000000000000000000000000..b597796de62bb5b61b4584d863f83cb1cf44672c
GIT binary patch
literal 11264
zcmeHNO>7&-6`ti%f0XqX)pqR0<RrEmJF!`c`Z21cv3^JeHmsO66*tYnGDWT}*%Fu8
zT`5%oqY9Az9CGj}JrzjXpvWa?5}?hYK%k&SkXwQv2e&{Ar^&5A3iKxi3fSuVW_Kit
zC6}|L3nPU_nw@zwv-8b+^JeC~;ePl*-_4)Bx&ISZ5uRW=yR*^3TFc5cFRvr*Wh_Do
z%I<7zY@i5v%I<_Okp#{$ll~mWS(+6owb&}AQaS8lEt_-RLvM9<g~Yq-ZVyv#;y$lm
z>Y6>Cd|&G%a($OuHp^yNiBL^?8k9P0fl`}FR|IVnZPLgFSezxwJM;1h7Sh@&4?Tt0
zt2FtqB2Fb^?l1{wmU_>zB|=+Z1!Y{>=@F)Ba=H)7!ix0zzaoNfnU+@r-)75fj-C#?
z?D08EyrwA*QA|)-y8M-G`A3L<;P0bSq}wWM5Mcc)UR{{d+j!9nEkr|>Z4@Eb4vLsp
ztZ__P7sYOh_fe!Rfb~&CT|cGh6ZxI+<&nVMT>tWXAT_8OUU^0n>p-3tXmmH$f4Q`)
z0#_84<5yHQL<Yrg2*l^5X7J^^kV*MIAj@~s|8EKSpFe|2=g)4^P1uBxl#iNjR+X<m
zfBd8h{-*uWD85B!f1XbNQjODpmK_x1z*#K+Br~IB=l=m&Sdq$eU#8{NwfG;{M5=%O
z<Ls5TcX{8n@)+mKUZp?&H)s?XNwQW~Oxhp!Qwvr3qiw%;Sk%II?VfQVg?jc6>>2nX
zs`z`UEo>VEKm0*<LJ1$ZGPu3^Ke1jWy(a$n6H4-jjRw06WAM85O<<?(_geVj4~e<2
zKmX_}2>-AhFDT(Ft$z)6DQr?z{$aDK%>PIL`#T8#u$y6bBlyXGgbgd{AN(oU>#F?2
zo|pE&AHJ*o_4gmiyDGl)A7~i9{GU+NKgbh0rHYTWvWFsqKmREu`3L16d({sGx*z@|
zaj&%h3Lgymq{=^ZzyA6IzS{m9lz-`4LIkzt4}8eK?*1cm8GE`a|L||??|;CD4_;UQ
z1+J6<c&ZoRW7l8*z@JjV*PzSjQ<Z;U*IWOt<)?K11m+*MBGxQI?fFl8^MCi{4_vkL
zS84qR=D*VZZT9|)6F))pFG1~pOc4QQ7{*g8!nQyi&KR7twc5c3m37cZna8~p*4kGo
zKH!x{DUEsg2Pu7s;z5dsC?2NxHHr^YJVH_SQ<;9<s~eyc)+y?DLU0KjF_)c1)4ZCV
zK9egJrn67x&Ekq-Iflh&tcBbnKW|v}f?4FJmP)4O9OV-WPAXR@tlB(lUUHt#Sq4eJ
z@nGi`4SQ^E!6}GN<9Tx_P-iEXZ~yVx-@i8b#)qHIeed6IeHQ3tYJ8<&625IN8Ma{&
z<3R_Iou0`A#Vl`+_eW2s&Ze_t*|XE>Z2H{!^tt%t+3E5|KKaw;e37TjrY7NqM`N$P
z^NZenKP|F9X+1OKPHAhW>DGOoZpJyC!6x~~jAhw0n_*z~3f+^V%w}U0O>uW_6K#2S
z_Hpv2QK}MBImZ~~*_?BX4<z~c@@1Y(Bu4na&}ed){`v95P$JP4nX=5KQ7)O~k5`+v
zC%Pip<+&?H-Wjc;rCpI3bCg$6x2{MR46+7;_I~pCh0mYv8T{?9M^2r6>964j+Rsd^
zt9RDya;hc>b#$85CiPcNNf6A+w)ay1nq7bQdjC9?nT|hYIt{P?9x?#lrg-MrspU6g
zFTSSJO^TH-T^>jd|0StUI>vWf#x-5LwGmkhy{doK)*o8y`3K8{&!236y6vsL!`<J~
zwGhkCe-c@@4JX;kT7TDf_=~~tRR7zF`;PSuw*Rf;)^8rWKh~WX?t5t0#XQRlc6Mlm
z!I3?g&R_CW$cVh_E`eQz)i7_*Sf%)}CnG<Pyck*gw!!;vt~?y;J@7)u8eeVCaeKe1
ztvw%EkM%kxe=hd-T&bjAjAdf$i$}xEiAPV*^xrIAy%zh3hk9GqW1nh$d*8KpM~AbW
zYx(eXV{x@FI!p?yzd{@4_YeI*FU5LWbFoazdV6N+XylFJYBY82$i+(a^rcfq&MMn&
zCQUGaErmuupIb3F9cxB`ubRsix4i?C)969d@GWzNY8Mx5Cytk9=5xiXXv{B}miv-%
ziL#DOeP$PmdBY+uC@+^CmD170v*PUHljc$>S6mIUpVhX%r^x$&|54Zf(qO|$%fnY#
zUS*t8%gfiomp9J}{+9;3680p<;C1Vp9H&~?s|f!1YWGi)cUAmjgbN=G!5?2rA?-G<
z@}&D$274OzwJQFj)K-oE|Be6m2;svoK&ZukLTKNJivDfto+|%G3Adj7-Ftq_e_j0#
zj1ON$Fz?GhMu7RRi?6|dIz&;Ge|3C(e^3{{DgLD#nn}U849)b@=(`ddX`_8K^WNRS
zClf#fnac5uv9<&`1Wf*RHOAVv(K@@;gL)Zs_D?~}vM398Bk%r3*iU<vE@<H39w^E}
z+i0Er`6TY=er3{w0_|<RpnpOU?L%6Jpz-^W&TfQtwpV<wBF7!2+Xl49y@lKV2|=ek
zdW`N=QNQ-g2d_W=&U;!&drZ){qd<QlZCuc}9|av{6N29AuOR3aufHhyJ?KyV1{$Sb
z5kX^rb;tXhpm8VS_IFLtKiaI{w+rpJ@b(K@;)S#Wf|lcpvZ$c9@MD6O_+zZK8~xq6
z{P_iZYZcNu6QFwq-i>f4i-~$EFP-%aq5k$s^oTLGZL5#617dz$`9U7v6yta2??#xl
zy!5envB8J1zq8|K$p4)<HIo`orM{C5;Qq2I4qc#;H0%E~i;uxp^M7pmCT-F4vFGTw
zX@`979K`~CpJ&szaMHux^2$};s4gCz?G}0@^@6@C>w#XtPSe>RXx=rUN4Pik)~%qo
g^ibbcFZB-Ryt}Tx5dGoY1x<a3_C)T4dnkeb0F;w-MgRZ+

literal 0
HcmV?d00001

diff --git a/src/openforms/formio/tests/test_validators.py b/src/openforms/formio/tests/test_validators.py
index f0d0671d25..e9965b6076 100644
--- a/src/openforms/formio/tests/test_validators.py
+++ b/src/openforms/formio/tests/test_validators.py
@@ -108,6 +108,23 @@ def test_mime_type_inferred_from_magic(self):
         except ValidationError as e:
             self.fail(f"Valid file failed validation: {e}")
 
+    def test_unknown_file_type(self):
+        file = SimpleUploadedFile(
+            "unknown-type",
+            b"test",
+            content_type="application/octet-stream",  # see e2e test SingleFileTests.test_unknown_file_type
+        )
+        validator = validators.MimeTypeValidator(
+            allowed_mime_types=None
+        )  # allows any mime type
+
+        with self.assertRaisesMessage(
+            ValidationError,
+            "Could not determine the file type. Please make sure the file name "
+            "has an extension.",
+        ):
+            validator(file)
+
     def test_star_wildcard_in_allowed_mimetypes(self):
         validator = validators.MimeTypeValidator({"*"})
 
@@ -202,6 +219,23 @@ def test_allowed_mime_types_for_csv_files(self):
 
             validator(sample)
 
+    def test_allowed_mime_types_for_msg_files(self):
+        valid_type = "application/vnd.ms-outlook"
+        msg_file = TEST_FILES / "test.msg"
+        validator = validators.MimeTypeValidator(allowed_mime_types=[valid_type])
+
+        # 4795
+        # The sdk cannot determine the content_type for .msg files correctly.
+        # Because .msg is a windows specific file, and linux and MacOS don't know it.
+        # So we simulate the scenario where content_type is unknown
+        sample = SimpleUploadedFile(
+            name="test.msg",
+            content=msg_file.read_bytes(),
+            content_type="",  # replicate the behaviour of the frontend
+        )
+
+        validator(sample)
+
     def test_validate_files_multiple_mime_types(self):
         """Assert that validation of files associated with multiple mime types works
 
diff --git a/src/openforms/formio/tests/validation/test_file.py b/src/openforms/formio/tests/validation/test_file.py
index c656687d5f..61470f6696 100644
--- a/src/openforms/formio/tests/validation/test_file.py
+++ b/src/openforms/formio/tests/validation/test_file.py
@@ -602,10 +602,10 @@ def test_attach_upload_validates_unknown_file_type(self):
         }
 
         is_valid, errors = validate_formio_data(component, data, submission=submission)
-        error = extract_error(errors["foo"][0], "type")
+        error = extract_error(errors["foo"][0], "non_field_errors")
 
         self.assertFalse(is_valid)
-        self.assertEqual(error.code, "blank")
+        self.assertEqual(error.code, "invalid")
         self.assertEqual(
             error,
             _(
diff --git a/src/openforms/tests/e2e/test_input_validation.py b/src/openforms/tests/e2e/test_input_validation.py
index a320bce4bd..3ae9118844 100644
--- a/src/openforms/tests/e2e/test_input_validation.py
+++ b/src/openforms/tests/e2e/test_input_validation.py
@@ -955,8 +955,8 @@ def test_unknown_file_type(self):
 
         # The frontend validation will *not* create a TemporaryFileUpload,
         # as the frontend will block the upload because of the invalid file type.
-        # However the user could do an handcrafted API call.
-        # For this reason, we manually create an invalid TemporaryFileUpload
+        # However the user could do a handcrafted API call.
+        # For this reason, we manually try to create an invalid TemporaryFileUpload
         # and use it for the `api_value`:
 
         with open(TEST_FILES / "unknown-type", "rb") as infile:
@@ -971,7 +971,7 @@ def test_unknown_file_type(self):
                 ui_files=[TEST_FILES / "unknown-type"],
                 expected_ui_error=(
                     "Het bestandstype kon niet bepaald worden. Controleer of de "
-                    "bestandsnaam met een extensie eindigt (bijvoorbeel '.pdf' of "
+                    "bestandsnaam met een extensie eindigt (bijvoorbeeld '.pdf' of "
                     "'.png')."
                 ),
                 api_value=[
@@ -982,8 +982,8 @@ def test_unknown_file_type(self):
                 ],
             )
 
-        # Make sure the frontend did not create one:
-        self.assertEqual(TemporaryFileUpload.objects.count(), 1)
+        # Make sure that no temporary files were created
+        self.assertEqual(TemporaryFileUpload.objects.count(), 0)
 
 
 class SingleAddressNLTests(ValidationsTestCase):