From 07c9b448a9de30f060a57cc68bd575a981f00512 Mon Sep 17 00:00:00 2001
From: Steve Garon <steve.garon@cyber.gc.ca>
Date: Tue, 28 Sep 2021 13:39:14 +0000
Subject: [PATCH] Validate file classification during ingest

---
 assemblyline_ui/api/v4/ingest.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/assemblyline_ui/api/v4/ingest.py b/assemblyline_ui/api/v4/ingest.py
index 1f557032..a50f3e25 100644
--- a/assemblyline_ui/api/v4/ingest.py
+++ b/assemblyline_ui/api/v4/ingest.py
@@ -8,7 +8,7 @@
 from assemblyline.common.dict_utils import flatten
 from assemblyline.common.str_utils import safe_str
 from assemblyline_ui.api.base import api_login, make_api_response, make_subapi_blueprint
-from assemblyline_ui.config import TEMP_SUBMIT_DIR, STORAGE, config
+from assemblyline_ui.config import CLASSIFICATION, TEMP_SUBMIT_DIR, STORAGE, config
 from assemblyline_ui.helper.service import ui_to_submission_params
 from assemblyline_ui.helper.submission import safe_download, FileTooBigException, InvalidUrlException, \
     ForbiddenLocation, submission_received
@@ -243,7 +243,7 @@ def ingest_single_file(**kwargs):
                 binary.save(out_file)
 
             if os.path.getsize(out_file) == 0:
-                return make_api_response("", err="File empty. Ingestion failed", status_code=400)
+                return make_api_response({}, err="File empty. Ingestion failed", status_code=400)
 
             # Load default user params
             s_params = ui_to_submission_params(load_user_settings(user))
@@ -284,9 +284,9 @@ def ingest_single_file(**kwargs):
             # Validate file size
             if fileinfo['size'] > MAX_SIZE and not s_params.get('ignore_size', False):
                 msg = f"File too large ({fileinfo['size']} > {MAX_SIZE}). Ingestion failed"
-                return make_api_response("", err=msg, status_code=413)
+                return make_api_response({}, err=msg, status_code=413)
             elif fileinfo['size'] == 0:
-                return make_api_response("", err="File empty. Ingestion failed", status_code=400)
+                return make_api_response({}, err="File empty. Ingestion failed", status_code=400)
 
             # Decode cart if needed
             extracted_path, fileinfo, al_meta = decode_file(out_file, fileinfo)
@@ -297,6 +297,11 @@ def ingest_single_file(**kwargs):
             s_params['classification'] = al_meta.pop('classification', s_params['classification'])
             name = al_meta.pop('name', name)
 
+            # Validate ingest classification
+            if not CLASSIFICATION.is_accessible(user['classification'], s_params['classification']):
+                return make_api_response({}, "You cannot start a submission with higher "
+                                             "classification then you're allowed to see", 400)
+
             # Save the file to the filestore if needs be
             sha256 = fileinfo['sha256']
             if not f_transport.exists(sha256):
@@ -338,7 +343,7 @@ def ingest_single_file(**kwargs):
                     "params": s_params
                 })
             except (ValueError, KeyError) as e:
-                return make_api_response("", err=str(e), status_code=400)
+                return make_api_response({}, err=str(e), status_code=400)
 
             # Send submission object for processing
             ingest.push(submission_obj.as_primitives())