Added file extension type restrictions and updated specs

department-of-veterans-affairs · Dec 4, 2024 · 39fff39 · 39fff39
1 parent bc56c8b
commit 39fff39
Show file tree

Hide file tree

Showing 6 changed files with 100 additions and 36 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -2114,6 +2114,7 @@ spec/support/vcr_cassettes/spec/support @department-of-veterans-affairs/octo-ide
 spec/support/vcr_cassettes/staccato @department-of-veterans-affairs/vfs-10-10 @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 spec/support/vcr_cassettes/token_validation @department-of-veterans-affairs/lighthouse-banana-peels @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 spec/support/vcr_cassettes/travel_pay @department-of-veterans-affairs/travel-pay-integration @department-of-veterans-affairs/backend-review-group
+spec/support/vcr_cassettes/uploads/validate_document.yml @department-of-veterans-affairs/pension-and-burials @department-of-veterans-affairs/backend-review-group
 spec/spupport/vcr_cassettes/user/get_facilities_empty.yml @department-of-veterans-affairs/vfs-facilities-frontend @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 spec/support/vcr_cassettes/va_forms @department-of-veterans-affairs/platform-va-product-forms @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group
 spec/support/vcr_cassettes/va_notify @department-of-veterans-affairs/va-notify-write @department-of-veterans-affairs/va-api-engineers @department-of-veterans-affairs/backend-review-group

diff --git a/app/controllers/v0/claim_documents_controller.rb b/app/controllers/v0/claim_documents_controller.rb
@@ -15,23 +15,23 @@ class ClaimDocumentsController < ApplicationController
     def create
       uploads_monitor.track_document_upload_attempt(form_id, current_user)
 
-      attachment = klass.new(form_id:)
+      @attachment = klass.new(form_id:)
       # add the file after so that we have a form_id and guid for the uploader to use
-      attachment.file = unlock_file(params['file'], params['password'])
+      @attachment.file = unlock_file(params['file'], params['password'])
 
-      if Flipper.enabled?(:document_upload_validation_enabled) && !stamped_pdf_valid?(attachment)
-        raise Common::Exceptions::ValidationErrors, attachment
+      if Flipper.enabled?(:document_upload_validation_enabled) && !stamped_pdf_valid?
+        raise Common::Exceptions::ValidationErrors, @attachment
       end
 
-      raise Common::Exceptions::ValidationErrors, attachment unless attachment.valid?
+      raise Common::Exceptions::ValidationErrors, @attachment unless @attachment.valid?
 
-      attachment.save
+      @attachment.save
 
-      uploads_monitor.track_document_upload_success(form_id, attachment.id, current_user)
+      uploads_monitor.track_document_upload_success(form_id, @attachment.id, current_user)
 
-      render json: PersistentAttachmentSerializer.new(attachment)
+      render json: PersistentAttachmentSerializer.new(@attachment)
     rescue => e
-      uploads_monitor.track_document_upload_failed(form_id, attachment&.id, current_user, e)
+      uploads_monitor.track_document_upload_failed(form_id, @attachment&.id, current_user, e)
       raise e
     end
 
@@ -78,15 +78,25 @@ def unlock_file(file, file_password)
       file
     end
 
-    def stamped_pdf_valid?(attachment)
-      document = PDFUtilities::DatestampPdf.new(attachment.to_pdf).run(text: 'VA.GOV', x: 5, y: 5)
-      document = PDFUtilities::DatestampPdf.new(document).run(
-        text: 'FDC Reviewed - VA.gov Submission',
-        x: 429,
-        y: 770,
-        text_only: true
-      )
+    def stamped_pdf_valid?
+      extension = File.extname(@attachment&.file&.id)
+      allowed_types = PersistentAttachment::ALLOWED_DOCUMENT_TYPES
+
+      unless allowed_types.include?(extension)
+        raise Common::Exceptions::UnprocessableEntity.new(
+          detail: I18n.t('errors.messages.extension_allowlist_error', extension:, allowed_types:),
+          source: 'PersistentAttachment.unlock_file'
+        )
+      end
+
+      document = PDFUtilities::DatestampPdf.new(@attachment.to_pdf).run(text: 'VA.GOV', x: 5, y: 5)
       intake_service.valid_document?(document:)
+    rescue BenefitsIntake::Service::InvalidDocumentError => e
+      @attachment.errors.add(:attachment, e.message)
+      false
+    rescue PdfForms::PdftkError => e
+      @attachment.errors.add(:attachment, 'File is corrupt and cannot be uploaded')
+      false
     end
 
     def intake_service

diff --git a/app/models/persistent_attachment.rb b/app/models/persistent_attachment.rb
@@ -8,6 +8,8 @@
 class PersistentAttachment < ApplicationRecord
   include SetGuid
 
+  ALLOWED_DOCUMENT_TYPES = %w[.pdf .jpg .jpeg .png].freeze
+
   has_kms_key
   has_encrypted :file_data, key: :kms_key, **lockbox_options
   belongs_to :saved_claim, inverse_of: :persistent_attachments, optional: true

diff --git a/spec/controllers/v0/claim_documents_controller_spec.rb b/spec/controllers/v0/claim_documents_controller_spec.rb
@@ -4,7 +4,7 @@
 
 RSpec.describe V0::ClaimDocumentsController, type: :controller do
   let(:user) { create(:user) }
-  let(:file) { fixture_file_upload('doctors-note.gif') }
+  let(:file) { fixture_file_upload('doctors-note.jpg') }
   let(:password) { 'password' }
   let(:params) { { form_id: '21P-527EZ', file: file, password: password } }
   let(:attachment) { build(:persistent_attachment_va_form, file_data: file.to_json) }

diff --git a/spec/requests/swagger_spec.rb b/spec/requests/swagger_spec.rb
@@ -297,25 +297,27 @@
     end
 
     it 'supports adding a claim document' do
-      expect(subject).to validate(
-        :post,
-        '/v0/claim_attachments',
-        200,
-        '_data' => {
-          'form_id' => '21P-530V2',
-          file: fixture_file_upload('spec/fixtures/files/doctors-note.pdf')
-        }
-      )
+      VCR.use_cassette('uploads/validate_document') do
+        expect(subject).to validate(
+          :post,
+          '/v0/claim_attachments',
+          200,
+          '_data' => {
+            'form_id' => '21P-530V2',
+            file: fixture_file_upload('spec/fixtures/files/doctors-note.pdf')
+          }
+        )
 
-      expect(subject).to validate(
-        :post,
-        '/v0/claim_attachments',
-        422,
-        '_data' => {
-          'form_id' => '21P-530V2',
-          file: fixture_file_upload('spec/fixtures/files/empty_file.txt')
-        }
-      )
+        expect(subject).to validate(
+          :post,
+          '/v0/claim_attachments',
+          422,
+          '_data' => {
+            'form_id' => '21P-530V2',
+            file: fixture_file_upload('spec/fixtures/files/empty_file.txt')
+          }
+        )
+      end
     end
 
     it 'supports checking stem_claim_status' do