Update file upload field to accept dynamic file types and add validation for supported extensions (#14143)

Maffooch · web-flow · commit a56d3ea7eba6 · 2026-01-22T21:46:13.000-06:00
diff --git a/dojo/forms.py b/dojo/forms.py
@@ -891,7 +891,7 @@ class EditRiskAcceptanceForm(forms.ModelForm):
     recommendation = forms.ChoiceField(choices=Risk_Acceptance.TREATMENT_CHOICES, initial=Risk_Acceptance.TREATMENT_ACCEPT, widget=forms.RadioSelect, label="Security Recommendation")
     decision = forms.ChoiceField(choices=Risk_Acceptance.TREATMENT_CHOICES, initial=Risk_Acceptance.TREATMENT_ACCEPT, widget=forms.RadioSelect)
 
-    path = forms.FileField(label="Proof", required=False, widget=forms.widgets.FileInput(attrs={"accept": ".jpg,.png,.pdf"}))
+    path = forms.FileField(label="Proof", required=False, widget=forms.widgets.FileInput(attrs={"accept": ", ".join(settings.FILE_IMPORT_TYPES)}))
     expiration_date = forms.DateTimeField(required=False, widget=forms.TextInput(attrs={"class": "datepicker"}))
 
     class Meta:
@@ -904,10 +904,20 @@ def __init__(self, *args, **kwargs):
         self.fields["expiration_date_warned"].disabled = True
         self.fields["expiration_date_handled"].disabled = True
 
+    def clean_path(self):
+        if (data := self.cleaned_data.get("path")) is not None:
+            ext = Path(data.name).suffix  # [0] returns path+filename
+            valid_extensions = settings.FILE_UPLOAD_TYPES
+            if ext.lower() not in valid_extensions:
+                if accepted_extensions := f"{', '.join(valid_extensions)}":
+                    msg = f"Unsupported extension. Supported extensions are as follows: {accepted_extensions}"
+                else:
+                    msg = "File uploads are prohibited due to the list of acceptable file extensions being empty"
+                raise ValidationError(msg)
+        return data
+
 
 class RiskAcceptanceForm(EditRiskAcceptanceForm):
-    # path = forms.FileField(label="Proof", required=False, widget=forms.widgets.FileInput(attrs={"accept": ".jpg,.png,.pdf"}))
-    # expiration_date = forms.DateTimeField(required=False, widget=forms.TextInput(attrs={'class': 'datepicker'}))
     accepted_findings = forms.ModelMultipleChoiceField(
         queryset=Finding.objects.none(), required=True,
         widget=forms.widgets.SelectMultiple(attrs={"size": 10}),
