export_controller.ex 1.42 KB
Newer Older
1
2
3
4
5
6
7
8
defmodule Mobilizon.Web.ExportController do
  @moduledoc """
  Controller to serve exported files
  """
  use Mobilizon.Web, :controller
  plug(:put_layout, false)
  action_fallback(Mobilizon.Web.FallbackController)
  alias Mobilizon.Export
9
  import Mobilizon.Service.Export.Participants.Common, only: [enabled_formats: 0, export_path: 1]
10
11
12
13
14
15
16
17
  import Mobilizon.Web.Gettext, only: [dgettext: 3]

  # sobelow_skip ["Traversal.SendDownload"]
  @spec export(Plug.Conn.t(), map) :: {:error, :not_found} | Plug.Conn.t()
  def export(conn, %{"format" => format, "file" => file}) do
    if format in enabled_formats() do
      case Export.get_export(file, "event_participants", format) do
        %Export{file_name: file_name, file_path: file_path} ->
18
          local_path = Path.join(export_path(format), file_path)
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
          # We're using encode: false to disable escaping the filename with URI.encode_www_form/1
          # but it may introduce an security issue if the event title wasn't properly sanitized
          # https://github.com/phoenixframework/phoenix/pull/3344
          # https://owasp.org/www-community/attacks/HTTP_Response_Splitting
          send_download(conn, {:file, local_path}, filename: file_name, encode: false)

        nil ->
          {:error, :not_found}
      end
    else
      {:error,
       dgettext("errors", "Export to format %{format} is not enabled on this instance",
         format: format
       )}
    end
  end
end