Prevent possible Code injection in podfile (#1367)

Badatos · github-advanced-security[bot] · web-flow · commit 0c06d860a81e · 2025-11-06T09:30:26.000+01:00
Fixes for security alerts : - https://github.com/EsupPortail/Esup-Pod/security/code-scanning/44 - https://github.com/EsupPortail/Esup-Pod/security/code-scanning/45 - https://github.com/EsupPortail/Esup-Pod/security/code-scanning/46 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
diff --git a/pod/locale/fr/LC_MESSAGES/django.mo b/pod/locale/fr/LC_MESSAGES/django.mo
diff --git a/pod/locale/fr/LC_MESSAGES/django.po b/pod/locale/fr/LC_MESSAGES/django.po
@@ -5,7 +5,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Pod\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-10-09 14:25+0200\n"
+"POT-Creation-Date: 2025-10-15 17:14+0200\n"
 "PO-Revision-Date: \n"
 "Last-Translator: obado <bado@unice.fr>\n"
 "Language-Team: Pod Team cotech-esup-pod@esup-portail.org\n"
@@ -10775,6 +10775,15 @@ msgstr "Statistiques de visualisation des vidéos du thème %s"
 msgid "You do not have access rights to this video: %s "
 msgstr "Vous n’avez pas les droits d’accès à cette vidéo : %s "
 
+#: pod/video/views.py
+#, python-format
+msgid ""
+"The following “%(target)s” type target does not exist or contains no videos: "
+"%(slug)s."
+msgstr ""
+"La cible de type « %(target)s » suivant(e) n’existe pas ou ne contient "
+"aucune vidéo : %(slug)s."
+
 #: pod/video/views.py
 #, python-format
 msgid "The following video does not exist: %s"
diff --git a/pod/locale/nl/LC_MESSAGES/django.po b/pod/locale/nl/LC_MESSAGES/django.po
@@ -10084,6 +10084,13 @@ msgstr ""
 msgid "You do not have access rights to this video: %s "
 msgstr ""
 
+#: pod/video/views.py
+#, python-format
+msgid ""
+"The following “%(target)s” type target does not exist or contains no videos: "
+"%(slug)s."
+msgstr ""
+
 #: pod/video/views.py
 #, python-format
 msgid "The following video does not exist: %s"
diff --git a/pod/podfile/views.py b/pod/podfile/views.py
@@ -266,9 +266,15 @@ def deletefolder(request):
 @staff_member_required(redirect_field_name="referrer")
 def deletefile(request):
     if request.POST.get("id") and request.POST.get("classname"):
-        file = get_object_or_404(
-            eval(request.POST.get("classname")), id=request.POST.get("id")
-        )
+        classname = request.POST.get("classname")
+        if classname == "CustomImageModel":
+            file = get_object_or_404(
+                CustomImageModel, id=request.POST.get("id")
+            )
+        else:
+            file = get_object_or_404(
+                CustomFileModel, id=request.POST.get("id")
+            )
         folder = file.folder
         if request.user != file.created_by and not (
             request.user.is_superuser
@@ -398,9 +404,16 @@ def changefile(request):
             )
             raise PermissionDenied
 
-        file = get_object_or_404(
-            eval(request.POST.get("file_type")), id=request.POST.get("file_id")
-        )
+        file_type = request.POST.get("file_type")
+        if file_type == "CustomImageModel":
+            file = get_object_or_404(
+                CustomImageModel, id=request.POST.get("file_id")
+            )
+        else:
+            file = get_object_or_404(
+                CustomFileModel, id=request.POST.get("file_id")
+            )
+
         if request.user != file.created_by and not (
             request.user.is_superuser
             or request.user.has_perm("podfile.change_customfilemodel")
@@ -410,9 +423,14 @@ def changefile(request):
             messages.add_message(request, messages.ERROR, _("You cannot edit this file."))
             raise PermissionDenied
 
-        form_file = eval("%sForm" % request.POST.get("file_type"))(
-            request.POST, request.FILES, instance=file
-        )
+        if file_type == "CustomImageModel":
+            form_file = CustomImageModelForm(
+                request.POST, request.FILES, instance=file
+            )
+        else:
+            form_file = CustomFileModelForm(
+                request.POST, request.FILES, instance=file
+            )
 
         if form_file.is_valid():
             if form_file.cleaned_data["folder"] != folder:
diff --git a/pod/settings.py b/pod/settings.py
@@ -19,7 +19,7 @@
 ##
 # Version of the project
 #
-VERSION = "4.0.1"
+VERSION = "4.0.3"
 
 ##
 # Installed applications list
diff --git a/pod/video/views.py b/pod/video/views.py
@@ -17,6 +17,7 @@
 from django.http import QueryDict, Http404
 from django.views.decorators.csrf import csrf_protect
 from django.contrib import messages
+from django.utils.html import escape
 from django.utils.translation import ngettext
 from django.utils.translation import gettext_lazy as _
 from django.contrib.auth.models import User
@@ -2645,8 +2646,8 @@ def stats_view(request, slug=None, slug_t=None):
     """
     target = request.GET.get("from", "videos")
     videos, title = get_videos(slug, target, slug_t)
-    error_message = (
-        "The following %(target)s does not exist or contain any videos: %(slug)s"
+    error_message = _(
+        "The following “%(target)s” type target does not exist or contains no videos: %(slug)s."
     )
     if request.method == "GET" and target == "video" and videos:
         return manage_access_rights_stats_video(request, videos[0], title)
@@ -2659,7 +2660,7 @@ def stats_view(request, slug=None, slug_t=None):
     ):
         slug = slug if not slug_t else slug_t
         target = "Pod" if target == "videos" else target
-        return HttpResponseNotFound(_(error_message) % {"target": target, "slug": slug})
+        return HttpResponseNotFound(error_message % {"target": escape(target), "slug": escape(slug)})
 
     if (
         request.method == "POST"

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@`
`19`	`19`	`##`
`20`	`20`	`# Version of the project`
`21`	`21`	`#`
`22`		`-VERSION = "4.0.1"`
	`22`	`+VERSION = "4.0.3"`
`23`	`23`
`24`	`24`	`##`
`25`	`25`	`# Installed applications list`