Import export fix (#5677)

* Update django-import-export * Add custom handler to ensure data import is not too excessive
2024-08-30 18:33:04 +00:00 · 2023-10-09 11:48:17 +11:00 · 2023-10-09 11:48:17 +11:00 · e9e505edd4
commit e9e505edd4
parent 608ca75763
3 changed files with 35 additions and 3 deletions
--- a/InvenTree/InvenTree/admin.py
+++ b/InvenTree/InvenTree/admin.py
@ -5,6 +5,7 @@ from django.http.request import HttpRequest

 from djmoney.contrib.exchange.admin import RateAdmin
 from djmoney.contrib.exchange.models import Rate
+from import_export.exceptions import ImportExportError
 from import_export.resources import ModelResource


@ -15,8 +16,39 @@ class InvenTreeResource(ModelResource):
    Ref: https://owasp.org/www-community/attacks/CSV_Injection
    """

+    MAX_IMPORT_ROWS = 1000
+    MAX_IMPORT_COLS = 100
+
+    def import_data_inner(
+        self,
+        dataset,
+        dry_run,
+        raise_errors,
+        using_transactions,
+        collect_failed_rows,
+        rollback_on_validation_errors=None,
+        **kwargs
+    ):
+        """Override the default import_data_inner function to provide better error handling"""
+
+        if len(dataset) > self.MAX_IMPORT_ROWS:
+            raise ImportExportError(f"Dataset contains too many rows (max {self.MAX_IMPORT_ROWS})")
+
+        if len(dataset.headers) > self.MAX_IMPORT_COLS:
+            raise ImportExportError(f"Dataset contains too many columns (max {self.MAX_IMPORT_COLS})")
+
+        return super().import_data_inner(
+            dataset,
+            dry_run,
+            raise_errors,
+            using_transactions,
+            collect_failed_rows,
+            rollback_on_validation_errors=rollback_on_validation_errors,
+            **kwargs
+        )
+
    def export_resource(self, obj):
-        """Custom function to override default row export behaviour.
+        """Custom function to override default row export behavior.

        Specifically, strip illegal leading characters to prevent formula injection
        """
--- a/requirements.in
+++ b/requirements.in
@ -13,7 +13,7 @@ django-filter                           # Extended filtering options
 django-flags                            # Feature flags
 django-formtools                        # Form wizard tools
 django-ical                             # iCal export for calendar views
-django-import-export==2.5.0             # Data import / export for admin interface
+django-import-export>=3.3.1             # Data import / export for admin interface
 django-maintenance-mode                 # Shut down application while reloading etc.
 django-markdownify                      # Markdown rendering
 django-money<3.0.0                      # Django app for currency management  # FIXED 2022-06-26 to make sure py-moneyed is not conflicting
--- a/requirements.txt
+++ b/requirements.txt
@ -105,7 +105,7 @@ django-formtools==2.4.1
    # via -r requirements.in
 django-ical==1.9.2
    # via -r requirements.in
-django-import-export==2.5.0
+django-import-export==3.3.1
    # via -r requirements.in
 django-js-asset==2.1.0
    # via django-mptt