Refactor redirect URL on deletion of Federal Awards Audit Findings (#…

…4386) * Hardcode redirect path * Validate redirect_uri - Created new method in `Util` class to return a redirect based on whether or not the `url` is valid and safe. * Lint * Linting again * One more lint. Hopefully
GSA-TTS · Oct 16, 2024 · c4eb9c1 · c4eb9c1
1 parent d3627f2
commit c4eb9c1
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/backend/audit/utils.py b/backend/audit/utils.py
@@ -1,4 +1,6 @@
 from django.conf import settings
+from django.shortcuts import redirect
+from django.utils.http import url_has_allowed_host_and_scheme
 
 from audit.fixtures.excel import FORM_SECTIONS
 from audit.intakelib import (
@@ -72,6 +74,14 @@ def remove_extra_fields(general_information_data):
             general_information_data.pop("audit_period_other_months", None)
         return general_information_data
 
+    @staticmethod
+    def validate_redirect_url(url):
+        """Ensure that the url received is safe to redirect to."""
+        if url_has_allowed_host_and_scheme(url, allowed_hosts=None):
+            return redirect(url)
+        else:
+            return redirect("/")
+
 
 class ExcelExtractionError(Exception):
     def __init__(

diff --git a/backend/report_submission/views.py b/backend/report_submission/views.py
@@ -577,14 +577,16 @@ def get(self, request, *args, **kwargs):
 
     def post(self, request, *args, **kwargs):
         report_id = kwargs["report_id"]
+        path_name = request.path.split("/")[2]
+        section = self.additional_context[path_name]
+        redirect_uri = f"/report_submission/{section['view_id']}/{report_id}"
         try:
             sac = SingleAuditChecklist.objects.get(report_id=report_id)
             accesses = Access.objects.filter(sac=sac, user=request.user)
+
             if not accesses:
                 messages.error(request, "You do not have access to this audit.")
-                return redirect(request.path)
-            path_name = request.path.split("/")[2]
-            section = self.additional_context[path_name]
+                return Util.validate_redirect_url(redirect_uri)
 
             try:
                 excel_files = ExcelFile.objects.filter(
@@ -597,7 +599,7 @@ def post(self, request, *args, **kwargs):
                 sac.save()
             except ExcelFile.DoesNotExist:
                 messages.error(request, "File not found.")
-                return redirect(request.path)
+                return Util.validate_redirect_url(redirect_uri)
 
             SubmissionEvent.objects.create(
                 sac_id=sac.id,
@@ -611,9 +613,9 @@ def post(self, request, *args, **kwargs):
         except SingleAuditChecklist.DoesNotExist:
             logger.error(f"Audit: {report_id} not found")
             messages.error(request, "Audit not found.")
-            return redirect(request.path)
+            return Util.validate_redirect_url(redirect_uri)
 
         except Exception as e:
             logger.error(f"Unexpected error in DeleteFileView post: {str(e)}")
             messages.error(request, "An unexpected error occurred.")
-            return redirect(request.path)
+            return Util.validate_redirect_url(redirect_uri)