Merge pull request #77 from kbase/develop

Develop

staging_service/app.py

@@ -9,7 +9,7 @@
 from .JGIMetadata import read_metadata_for, translate_for_importer
 
 routes = web.RouteTableDef()
-VERSION = '1.1.5'
+VERSION = '1.1.6'
 
 
 @routes.get('/add-acl')
@@ -206,36 +206,37 @@ async def upload_files_chunked(request: web.Request):
     if not request.has_body:
         raise web.HTTPBadRequest(text='must provide destPath and uploads in body')
 
-    body = await request.post()
+    reader = await request.multipart()
+    counter = 0
+    user_file = None
+    destPath = None
+    while counter < 100:  # TODO this is arbitrary to keep an attacker from creating infinite loop
+        # This loop handles the null parts that come in inbetween destpath and file
+        part = await reader.next()
+
+        if part.name == 'destPath':
+            destPath = await part.text()
+        elif part.name == 'uploads':
+            user_file = part
+            break
+        else:
+            counter += 1
 
-    try:
-        destPath = body['destPath']
-        uploads = body['uploads']
-    except KeyError as wrong_key:
+    if not (user_file and destPath):
         raise web.HTTPBadRequest(text='must provide destPath and uploads in body')
 
-    try:
-        filename: str = os.path.basename(uploads)
-        uploads = open(uploads, 'rb')
-    except Exception:
-        try:
-            filename: str = os.path.basename(str(uploads.filename))
-            uploads = uploads.file
-        except Exception:
-            raise web.HTTPBadRequest(text='cannot read file: {}'.format(uploads))
-
+    filename: str = user_file.filename
     size = 0
     destPath = os.path.join(destPath, filename)
     path = Path.validate_path(username, destPath)
     os.makedirs(os.path.dirname(path.full_path), exist_ok=True)
     with open(path.full_path, 'wb') as f:  # TODO should we handle partial file uploads?
         while True:
-            chunk = uploads.read(1024)
+            chunk = await user_file.read_chunk()
             if not chunk:
                 break
             size += len(chunk)
             f.write(chunk)
-    uploads.close()
 
     if not os.path.exists(path.full_path):
         error_msg = 'We are sorry but upload was interrupted. Please try again.'.format(

tests/test_app.py

@@ -635,34 +635,16 @@ async def test_upload():
         with FileUtil() as fs:
             d = fs.make_dir(os.path.join(username, 'test'))
             f = fs.make_file(os.path.join(username, 'test', 'test_file_1'), txt)
-            res2 = await cli.post(os.path.join('upload'),
-                                  headers={'Authorization': ''},
-                                  data={'destPath': '',
-                                        'uploads': f})
 
-            assert res2.status == 200
+            files = {'destPath': '/',
+                     'uploads': open(f, 'rb')}
 
             res2 = await cli.post(os.path.join('upload'),
                                   headers={'Authorization': ''},
-                                  data={'destPath': '',
-                                        'uploads': open(f)})
+                                  data=files)
 
             assert res2.status == 200
 
-        # testing missing destPath in body
-        res3 = await cli.post('upload',
-                              headers={'Authorization': ''},
-                              data={'missing_destPath': 'test_destPath',
-                                    'uploads': 'test_uploads'})
-        assert res3.status == 400
-
-        # testing missing uploads in body
-        res4 = await cli.post('upload',
-                              headers={'Authorization': ''},
-                              data={'destPath': 'test_destPath',
-                                    'missing_uploads': 'test_uploads'})
-        assert res4.status == 400
-
 
 @settings(deadline=None)
 @asyncgiven(contents=st.text())