From ef2127585cce8956e5efac27dfce054895569312 Mon Sep 17 00:00:00 2001
From: Samuel Paccoud - DINUM <samuel.paccoud@mail.numerique.gouv.fr>
Date: Sat, 1 Mar 2025 11:49:40 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B(backend)=20allow=20any=20type=20of?=
 =?UTF-8?q?=20extensions=20for=20media=20download?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The regex to validate media file extensions was too restrictive.
---
 CHANGELOG.md                                  |  1 +
 src/backend/core/api/viewsets.py              |  2 +-
 .../test_api_documents_media_auth.py          | 24 +++++++++++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 15d27b25..f81c5a00 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@ and this project adheres to
 
 ## Fixed
 
+- 🐛(backend) allow any type of extensions for media download #671
 - ♻️(frontend) improve table pdf rendering
 
 ## [2.2.0] - 2025-02-10
diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
index e9616aff..799b8374 100644
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -38,7 +38,7 @@ ATTACHMENTS_FOLDER = "attachments"
 UUID_REGEX = (
     r"[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}"
 )
-FILE_EXT_REGEX = r"\.[a-zA-Z]{3,4}"
+FILE_EXT_REGEX = r"\.[a-zA-Z0-9]{1,10}"
 MEDIA_STORAGE_URL_PATTERN = re.compile(
     f"{settings.MEDIA_URL:s}(?P<pk>{UUID_REGEX:s})/"
     f"(?P<key>{ATTACHMENTS_FOLDER:s}/{UUID_REGEX:s}{FILE_EXT_REGEX:s})$"
diff --git a/src/backend/core/tests/documents/test_api_documents_media_auth.py b/src/backend/core/tests/documents/test_api_documents_media_auth.py
index 28fd370c..b4bd2fa9 100644
--- a/src/backend/core/tests/documents/test_api_documents_media_auth.py
+++ b/src/backend/core/tests/documents/test_api_documents_media_auth.py
@@ -64,6 +64,30 @@ def test_api_documents_media_auth_anonymous_public():
     assert response.content.decode("utf-8") == "my prose"
 
 
+def test_api_documents_media_auth_extensions():
+    """Files with extensions of any format should work."""
+    document = factories.DocumentFactory(link_reach="public")
+
+    extensions = [
+        "c",
+        "go",
+        "gif",
+        "mp4",
+        "woff2",
+        "appimage",
+    ]
+    for ext in extensions:
+        filename = f"{uuid.uuid4()!s}.{ext:s}"
+        key = f"{document.pk!s}/attachments/{filename:s}"
+
+        original_url = f"http://localhost/media/{key:s}"
+        response = APIClient().get(
+            "/api/v1.0/documents/media-auth/", HTTP_X_ORIGINAL_URL=original_url
+        )
+
+        assert response.status_code == 200
+
+
 @pytest.mark.parametrize("reach", ["authenticated", "restricted"])
 def test_api_documents_media_auth_anonymous_authenticated_or_restricted(reach):
     """