Upload files using Rest #4300
Upload files using Rest #4300
Conversation
| @@ -34,6 +35,7 @@ public class TestResultUpload extends AuditedEntity { | |||
|
|
|||
| @ManyToOne(optional = false, fetch = FetchType.LAZY) | |||
| @JoinColumn(name = "org_id") | |||
| @JsonIgnore | |||
| private Organization organization; | |||
There was a problem hiding this comment.
Json Ignoring this since we don't want to return it as part of the response object when uploading results
zdeveloper
force-pushed
the
zedd/upload-files-with-rest
branch
2 times, most recently
from
ff73873 to
4c7842c
Compare
|
|
||
| /** An error thrown when CSV uploads fail for reasons other than validation */ | ||
| @ResponseStatus(HttpStatus.BAD_REQUEST) |
There was a problem hiding this comment.
Since allows us to set the response status to 400 when we throw this error inside the upload controller
zdeveloper
requested review from
DanielSass,
nathancrtr,
emmastephenson,
mehansen,
BobanL,
emyl3 and
georgehager
| private final TestResultUploadService testResultUploadService; | ||
|
|
||
| @PostMapping(PATIENT_UPLOAD) | ||
| public String handlePatientsUpload(@RequestParam("file") MultipartFile file) { |
There was a problem hiding this comment.
Is there a way to put some stricter typing/validation on these multipart files? Such that we can reject if it's not a CSV? In particular, I'm worried that since this won't be applying graphQL's argument limits anymore, theoretically people could try to upload massive or incorrectly formatted files - it's a bit of a security concern, even though this endpoint is only open to authenticated users.
There was a problem hiding this comment.
Looks like it's a Spring configuration we can enable: spring.servlet.multipart.max-file-size
Great minds think alike - you fixed this in the same minute I commented 🤣
There was a problem hiding this comment.
I am also adding an assert on the type of the file, even though that does nothing to the security since file extensions are a syntactical sugar on files
There was a problem hiding this comment.
have we thought about using something like clamav for file type and virus scanning?
There was a problem hiding this comment.
(we were using clamav for file upload scanning on a defense project and it worked pretty well, though not sure it would work for this specific use case)
There was a problem hiding this comment.
I dont think I ever heard of clamav, it could be something we can look into, doesnt seem like a quick thing to integrate with spring though
There was a problem hiding this comment.
no I wasn't suggesting it for this PR 😄 maybe just a future thing if we want to bump up our security
There was a problem hiding this comment.
also from what I remember it was not too bad to integrate with java/spring but not a quick add
zdeveloper
force-pushed
the
zedd/upload-files-with-rest
branch
from
f45092f to
451e7fe
Compare
zdeveloper
force-pushed
the
zedd/upload-files-with-rest
branch
from
451e7fe to
db00372
Compare
| max-file-size: 50MB | ||
| server: | ||
| error: | ||
| include-stacktrace: never |
There was a problem hiding this comment.
This removes the trace from any exceptions returned to the frontend
| @@ -49,6 +49,12 @@ spring: | |||
| jdbc: | |||
| initialize-schema: never | |||
| table-name: ${spring.jpa.properties.hibernate.default_schema}.spring_session | |||
| servlet: | |||
| multipart: | |||
| max-file-size: 50MB | |||
There was a problem hiding this comment.
This is set to the same max file limit enforced by the frontend for result upload
| assertThrows(IllegalGraphqlArgumentException.class, () -> sut.uploadPatients(input)); | ||
| assertThat(caught).hasMessage("PANIC"); | ||
| } | ||
|
|
There was a problem hiding this comment.
These tests have been replaced by FileUploadControllerTest
|
Kudos, SonarCloud Quality Gate passed! |
backend/src/main/java/gov/cdc/usds/simplereport/api/patient/PatientMutationResolver.java
Show resolved
Hide resolved
| private final TestResultUploadService testResultUploadService; | ||
|
|
||
| @PostMapping(PATIENT_UPLOAD) | ||
| public String handlePatientsUpload(@RequestParam("file") MultipartFile file) { |
There was a problem hiding this comment.
have we thought about using something like clamav for file type and virus scanning?
| private final TestResultUploadService testResultUploadService; | ||
|
|
||
| @PostMapping(PATIENT_UPLOAD) | ||
| public String handlePatientsUpload(@RequestParam("file") MultipartFile file) { |
There was a problem hiding this comment.
(we were using clamav for file upload scanning on a defense project and it worked pretty well, though not sure it would work for this specific use case)
backend/src/main/java/gov/cdc/usds/simplereport/service/TestResultUploadService.java
Show resolved
Hide resolved
backend/src/test/java/gov/cdc/usds/simplereport/api/patient/PatientMutationResolverTest.java
Show resolved
Hide resolved
* upload files via rest * update frontend tests * add file upload controller test and remove unused resolvers * remove unused code * add tests and enable cors * add Patient Upload tests * adding sonar feedback * add access-token to FileUploadService * update patient upload error alert title * update uploads error checking * limit upload file size to 50MB in the backend to match frontend * only accept csv files and dont send back exception traces
BACKEND PULL REQUEST
Related Issue
Changes Proposed
Additional Information
Testing
Checklist for Primary Reviewer
test,dev, orpentestand smoke tested