From 2556823a69688f0840efb2c79107d6d49568c16d Mon Sep 17 00:00:00 2001 From: Manuel Raynaud Date: Tue, 9 Dec 2025 17:14:39 +0100 Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F(backend)=20stop=20returning?= =?UTF-8?q?=20a=20415=20on=20cors-proxy=20endpoint?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the content-type return by the targeted url is not an image, the endpoint was returning a 415 status code. We don't want to provide this info anymore avoid disclosing information an attacker can use. --- src/backend/core/api/viewsets.py | 3 ++- .../core/tests/documents/test_api_documents_cors_proxy.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py index dd6d4f08..9a4c2154 100644 --- a/src/backend/core/api/viewsets.py +++ b/src/backend/core/api/viewsets.py @@ -1810,7 +1810,8 @@ class DocumentViewSet( if not content_type.startswith("image/"): return drf.response.Response( - status=status.HTTP_415_UNSUPPORTED_MEDIA_TYPE + {"detail": "Invalid URL used."}, + status=status.HTTP_400_BAD_REQUEST ) # Use StreamingHttpResponse with the response's iter_content to properly stream the data diff --git a/src/backend/core/tests/documents/test_api_documents_cors_proxy.py b/src/backend/core/tests/documents/test_api_documents_cors_proxy.py index eb212b44..6f0d4316 100644 --- a/src/backend/core/tests/documents/test_api_documents_cors_proxy.py +++ b/src/backend/core/tests/documents/test_api_documents_cors_proxy.py @@ -186,7 +186,8 @@ def test_api_docs_cors_proxy_unsupported_media_type(mock_getaddrinfo): response = client.get( f"/api/v1.0/documents/{document.id!s}/cors-proxy/?url={url_to_fetch}" ) - assert response.status_code == 415 + assert response.status_code == 400 + assert response.json() == {"detail": "Invalid URL used."} @pytest.mark.parametrize(