Merge pull request #2049 from wger-project/feature/image-validation

Adds validator for (exercise) images

Author: rolandgeider

wger/exercises/api/views.py

@@ -17,18 +17,17 @@
 import logging
 from uuid import UUID
 
+# Third Party
+import bleach
+from actstream import action as actstream_action
+from bleach.css_sanitizer import CSSSanitizer
 # Django
 from django.conf import settings
 from django.contrib.postgres.search import TrigramSimilarity
 from django.db.models import Q
 from django.utils.decorators import method_decorator
 from django.utils.translation import gettext as _
 from django.views.decorators.cache import cache_page
-
-# Third Party
-import bleach
-from actstream import action as actstream_action
-from bleach.css_sanitizer import CSSSanitizer
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import (
     OpenApiParameter,
@@ -90,7 +89,6 @@
 from wger.utils.db import is_postgres_db
 from wger.utils.language import load_language
 
-
 logger = logging.getLogger(__name__)
 
 
@@ -298,9 +296,9 @@ def search(request):
             try:
                 thumbnail = t.get_thumbnail(aliases.get('micro_cropped')).url
             except InvalidImageFormatError as e:
-                logger.info(f'InvalidImageFormatError while processing a thumbnail: {e}')
+                logger.warning(f'InvalidImageFormatError while processing a thumbnail: {e}')
             except OSError as e:
-                logger.info(f'OSError while processing a thumbnail: {e}')
+                logger.warning(f'OSError while processing a thumbnail: {e}')
 
         result_json = {
             'value': translation.name,

wger/exercises/models/image.py

@@ -21,14 +21,14 @@
 # Django
 from django.db import models
 from django.utils.translation import gettext_lazy as _
-
 # Third Party
 from simple_history.models import HistoricalRecords
 
 # wger
 from wger.exercises.models import Exercise
 from wger.utils.cache import reset_exercise_api_cache
 from wger.utils.helpers import BaseImage
+from wger.utils.images import validate_image_static_no_animation
 from wger.utils.models import (
     AbstractHistoryMixin,
     AbstractLicenseModel,
@@ -78,39 +78,34 @@ class ExerciseImage(AbstractLicenseModel, AbstractHistoryMixin, models.Model, Ba
 
     image = models.ImageField(
         verbose_name=_('Image'),
-        help_text=_('Only PNG and JPEG formats are supported'),
+        help_text='Only PNG and JPEG formats are supported',
         upload_to=exercise_image_upload_dir,
+        validators=[validate_image_static_no_animation],
     )
     """Uploaded image"""
 
     is_main = models.BooleanField(
         verbose_name=_('Main picture'),
         default=False,
-        help_text=_(
-            'Tick the box if you want to set this image as the '
-            'main one for the exercise (will be shown e.g. in '
-            'the search). The first image is automatically '
-            'marked by the system.'
-        ),
     )
     """A flag indicating whether the image is the exercise's main image"""
 
     style = models.CharField(
-        help_text=_('The art style of your image'),
+        help_text='The art style of your image',
         max_length=1,
         choices=STYLE,
         default=PHOTO,
     )
     """The art style of the image"""
 
     created = models.DateTimeField(
-        _('Date'),
+        'Date',
         auto_now_add=True,
     )
     """The creation time"""
 
     last_update = models.DateTimeField(
-        _('Date'),
+        'Date',
         auto_now=True,
     )
     """Datetime of last modification"""

wger/utils/images.py

@@ -0,0 +1,48 @@
+# This file is part of wger Workout Manager.
+#
+# wger Workout Manager is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# wger Workout Manager is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+
+# Third Party
+from PIL import (
+    Image,
+    UnidentifiedImageError,
+)
+# Django
+from django.core.exceptions import ValidationError
+
+MAX_FILE_SIZE_MB = 20
+
+
+def validate_image_static_no_animation(value):
+    # File size check
+    if value.size > 1024 * 1024 * MAX_FILE_SIZE_MB:
+        raise ValidationError(f'The maximum image file size is {MAX_FILE_SIZE_MB}MB.')
+
+    # Try opening the file with PIL
+    try:
+        value.open()
+        img = Image.open(value)
+        img_format = img.format.lower()
+    except UnidentifiedImageError:
+        raise ValidationError('File is not a valid image.')
+
+    # Supported types
+    allowed_formats = {'jpeg', 'jpg', 'png', 'webp'}
+    if img_format not in allowed_formats:
+        raise ValidationError(
+            f'File type is not supported. Allowed formats: {", ".join(allowed_formats)}.'
+        )
+
+    # Check for animation
+    if img_format == 'webp' and getattr(img, 'is_animated'):
+        raise ValidationError('Animated images are not supported.')