fix(crons): Disallow non-file uploads to attachment endpoint (#45457)

Fixes:
https://sentry.sentry.io/issues/3965990771/?query=id%3A5f4826c16808404ea8768d4214c3e34d&referrer=issue-stream&statsPeriod=14d

Author: David Wang

src/sentry/api/endpoints/organization_monitor_checkin_attachment.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+from django.core.files.uploadedfile import UploadedFile
 from django.http.response import FileResponse
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -50,6 +51,9 @@ def post(self, request: Request, project, monitor, checkin) -> Response:
             return Response({"detail": "Check-in already has an attachment"}, status=400)
 
         fileobj = request.data["file"]
+        if not isinstance(fileobj, UploadedFile):
+            return Response({"detail": "Please upload a valid file object"}, status=400)
+
         if fileobj.size > MAX_ATTACHMENT_SIZE:
             return Response({"detail": "Please keep uploads below 100kb"}, status=400)
 

tests/sentry/api/endpoints/test_organization_monitor_checkin_attachment.py

@@ -165,3 +165,22 @@ def test_duplicate_upload(self):
 
         assert resp.status_code == 400
         assert resp.data["detail"] == "Check-in already has an attachment"
+
+    def test_invalid_file_upload(self):
+        monitor = self._create_monitor()
+        checkin = MonitorCheckIn.objects.create(
+            monitor=monitor,
+            project_id=self.project.id,
+            date_added=monitor.date_added,
+            status=CheckInStatus.IN_PROGRESS,
+        )
+
+        path = self._path_func(monitor, checkin)
+        resp = self.client.post(
+            path,
+            {"file": "invalid_file"},
+            format="multipart",
+        )
+
+        assert resp.status_code == 400
+        assert resp.data["detail"] == "Please upload a valid file object"