diff --git a/src/sentry/api/endpoints/organization_monitor_checkin_attachment.py b/src/sentry/api/endpoints/organization_monitor_checkin_attachment.py index c86aaae9d4ccf2..642f940102ad6c 100644 --- a/src/sentry/api/endpoints/organization_monitor_checkin_attachment.py +++ b/src/sentry/api/endpoints/organization_monitor_checkin_attachment.py @@ -1,5 +1,6 @@ from __future__ import annotations +from django.core.files.uploadedfile import UploadedFile from django.http.response import FileResponse from rest_framework.request import Request from rest_framework.response import Response @@ -50,6 +51,9 @@ def post(self, request: Request, project, monitor, checkin) -> Response: return Response({"detail": "Check-in already has an attachment"}, status=400) fileobj = request.data["file"] + if not isinstance(fileobj, UploadedFile): + return Response({"detail": "Please upload a valid file object"}, status=400) + if fileobj.size > MAX_ATTACHMENT_SIZE: return Response({"detail": "Please keep uploads below 100kb"}, status=400) diff --git a/tests/sentry/api/endpoints/test_organization_monitor_checkin_attachment.py b/tests/sentry/api/endpoints/test_organization_monitor_checkin_attachment.py index b759607b7b7e06..9ebf4666b604a3 100644 --- a/tests/sentry/api/endpoints/test_organization_monitor_checkin_attachment.py +++ b/tests/sentry/api/endpoints/test_organization_monitor_checkin_attachment.py @@ -165,3 +165,22 @@ def test_duplicate_upload(self): assert resp.status_code == 400 assert resp.data["detail"] == "Check-in already has an attachment" + + def test_invalid_file_upload(self): + monitor = self._create_monitor() + checkin = MonitorCheckIn.objects.create( + monitor=monitor, + project_id=self.project.id, + date_added=monitor.date_added, + status=CheckInStatus.IN_PROGRESS, + ) + + path = self._path_func(monitor, checkin) + resp = self.client.post( + path, + {"file": "invalid_file"}, + format="multipart", + ) + + assert resp.status_code == 400 + assert resp.data["detail"] == "Please upload a valid file object"