From e6c292642612d4b2255e104a5a941db3cc77a460 Mon Sep 17 00:00:00 2001
From: Colin Darie <colin@darie.eu>
Date: Tue, 20 Aug 2024 15:51:54 +0200
Subject: [PATCH 1/2] fix(xss): injection from pj malicious filename would
 trick browser and lead to XSS injection

---
 app/views/instructeurs/dossiers/pieces_jointes.html.haml    | 4 ++--
 app/views/shared/champs/piece_justificative/_show.html.haml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/views/instructeurs/dossiers/pieces_jointes.html.haml b/app/views/instructeurs/dossiers/pieces_jointes.html.haml
index 97ab75c5551..95e08d1fce4 100644
--- a/app/views/instructeurs/dossiers/pieces_jointes.html.haml
+++ b/app/views/instructeurs/dossiers/pieces_jointes.html.haml
@@ -8,7 +8,7 @@
       .gallery-item
         - blob = attachment.blob
         - if displayable_pdf?(blob)
-          = link_to blob.url, id: blob.id, data: { iframe: true, src: blob.url }, class: 'gallery-link', type: blob.content_type, title: "#{libelle} -- #{blob.filename}" do
+          = link_to blob.url, id: blob.id, data: { iframe: true, src: blob.url }, class: 'gallery-link', type: blob.content_type, title: "#{libelle} -- #{sanitize(blob.filename.to_s)}" do
             .thumbnail
               = image_tag(preview_url_for(attachment), loading: :lazy)
               .fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button }
@@ -18,7 +18,7 @@
           = render Attachment::ShowComponent.new(attachment: attachment, truncate: true)
 
         - elsif displayable_image?(blob)
-          = link_to image_url(blob_url(attachment)), title: "#{libelle} -- #{blob.filename}", data: { src: blob.url }, class: 'gallery-link' do
+          = link_to image_url(blob_url(attachment)), title: "#{libelle} -- #{sanitize(blob.filename.to_s)}", data: { src: blob.url }, class: 'gallery-link' do
             .thumbnail
               = image_tag(variant_url_for(attachment), loading: :lazy)
               .fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button }
diff --git a/app/views/shared/champs/piece_justificative/_show.html.haml b/app/views/shared/champs/piece_justificative/_show.html.haml
index 12d1bca879f..4ee1be3d4df 100644
--- a/app/views/shared/champs/piece_justificative/_show.html.haml
+++ b/app/views/shared/champs/piece_justificative/_show.html.haml
@@ -5,14 +5,14 @@
         .gallery-item
           - blob = attachment.blob
           - if displayable_pdf?(blob)
-            = link_to blob.url, id: blob.id, data: { iframe: true, src: blob.url }, class: 'gallery-link', type: blob.content_type, title: "#{champ.libelle} -- #{blob.filename}" do
+            = link_to blob.url, id: blob.id, data: { iframe: true, src: blob.url }, class: 'gallery-link', type: blob.content_type, title: "#{champ.libelle} -- #{sanitize(blob.filename.to_s)}" do
               .thumbnail
                 = image_tag(preview_url_for(attachment), loading: :lazy)
                 .fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button }
                   = 'Visualiser'
 
           - elsif displayable_image?(blob)
-            = link_to image_url(blob_url(attachment)), title: "#{champ.libelle} -- #{blob.filename}", data: { src: blob.url }, class: 'gallery-link' do
+            = link_to image_url(blob_url(attachment)), title: "#{champ.libelle} -- #{sanitize(blob.filename.to_s)}", data: { src: blob.url }, class: 'gallery-link' do
               .thumbnail
                 = image_tag(variant_url_for(attachment), loading: :lazy)
                 .fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button }

From 87cc8a72413c3a4533ab112ac9330e38c5a98bea Mon Sep 17 00:00:00 2001
From: Colin Darie <colin@darie.eu>
Date: Tue, 20 Aug 2024 15:52:30 +0200
Subject: [PATCH 2/2] fix(dossier): render PJ champ respects profile context

---
 .../champs_rows_show_component.html.haml                        | 2 +-
 app/views/shared/champs/piece_justificative/_show.html.haml     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/components/dossiers/champs_rows_show_component/champs_rows_show_component.html.haml b/app/components/dossiers/champs_rows_show_component/champs_rows_show_component.html.haml
index 2ff8db51a83..4edba264ea1 100644
--- a/app/components/dossiers/champs_rows_show_component/champs_rows_show_component.html.haml
+++ b/app/components/dossiers/champs_rows_show_component/champs_rows_show_component.html.haml
@@ -23,7 +23,7 @@
           - when TypeDeChamp.type_champs.fetch(:multiple_drop_down_list)
             = render partial: "shared/champs/multiple_drop_down_list/show", locals: { champ: champ }
           - when TypeDeChamp.type_champs.fetch(:piece_justificative), TypeDeChamp.type_champs.fetch(:titre_identite)
-            = render partial: "shared/champs/piece_justificative/show", locals: { champ: champ }
+            = render partial: "shared/champs/piece_justificative/show", locals: { champ: champ, profile: @profile  }
           - when TypeDeChamp.type_champs.fetch(:siret)
             = render partial: "shared/champs/siret/show", locals: { champ: champ, profile: @profile }
           - when TypeDeChamp.type_champs.fetch(:iban)
diff --git a/app/views/shared/champs/piece_justificative/_show.html.haml b/app/views/shared/champs/piece_justificative/_show.html.haml
index 4ee1be3d4df..ef216dc3ac2 100644
--- a/app/views/shared/champs/piece_justificative/_show.html.haml
+++ b/app/views/shared/champs/piece_justificative/_show.html.haml
@@ -1,5 +1,5 @@
 .fr-downloads-group
-  - if instructeur_signed_in? && feature_enabled?(:gallery_demande)
+  - if profile == 'instructeur' && feature_enabled?(:gallery_demande)
     .gallery-items-list
       - champ.piece_justificative_file.attachments.with_all_variant_records.each do |attachment|
         .gallery-item