Enhance cors_proxy endpoint

src/backend/core/api/viewsets.py

@@ -13,6 +13,7 @@
 from django.core.cache import cache
 from django.core.exceptions import ValidationError
 from django.core.files.storage import default_storage
+from django.core.validators import URLValidator
 from django.db import connection, transaction
 from django.db import models as db
 from django.db.models.expressions import RawSQL
@@ -1441,6 +1442,15 @@ def cors_proxy(self, request, *args, **kwargs):
 
         url = unquote(url)
 
+        url_validator = URLValidator(schemes=["http", "https"])
+        try:
+            url_validator(url)
+        except drf.exceptions.ValidationError as e:
+            return drf.response.Response(
+                {"detail": str(e)},
+                status=drf.status.HTTP_400_BAD_REQUEST,
+            )
+
         try:
             response = requests.get(
                 url,
@@ -1471,10 +1481,10 @@ def cors_proxy(self, request, *args, **kwargs):
             return proxy_response
 
         except requests.RequestException as e:
-            logger.error("Proxy request failed: %s", str(e))
-            return drf_response.Response(
-                {"error": f"Failed to fetch resource: {e!s}"},
-                status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            logger.exception(e)
+            return drf.response.Response(
+                {"error": f"Failed to fetch resource from {url}"},
+                status=status.HTTP_400_BAD_REQUEST,
             )
 
 

src/backend/core/tests/documents/test_api_documents_cors_proxy.py

@@ -2,6 +2,7 @@
 
 import pytest
 import responses
+from requests.exceptions import RequestException
 from rest_framework.test import APIClient
 
 from core import factories
@@ -149,3 +150,41 @@ def test_api_docs_cors_proxy_unsupported_media_type():
         f"/api/v1.0/documents/{document.id!s}/cors-proxy/?url={url_to_fetch}"
     )
     assert response.status_code == 415
+
+
+@pytest.mark.parametrize(
+    "url_to_fetch",
+    [
+        "ftp://external-url.com/assets/index.html",
+        "ftps://external-url.com/assets/index.html",
+        "invalid-url.com",
+        "ssh://external-url.com/assets/index.html",
+    ],
+)
+def test_api_docs_cors_proxy_invalid_url(url_to_fetch):
+    """Test the CORS proxy API for documents with an invalid URL."""
+    document = factories.DocumentFactory(link_reach="public")
+
+    client = APIClient()
+    response = client.get(
+        f"/api/v1.0/documents/{document.id!s}/cors-proxy/?url={url_to_fetch}"
+    )
+    assert response.status_code == 400
+    assert response.json() == ["Enter a valid URL."]
+
+
+@responses.activate
+def test_api_docs_cors_proxy_request_failed():
+    """Test the CORS proxy API for documents with a request failed."""
+    document = factories.DocumentFactory(link_reach="public")
+
+    client = APIClient()
+    url_to_fetch = "https://external-url.com/assets/index.html"
+    responses.get(url_to_fetch, body=RequestException("Connection refused"))
+    response = client.get(
+        f"/api/v1.0/documents/{document.id!s}/cors-proxy/?url={url_to_fetch}"
+    )
+    assert response.status_code == 400
+    assert response.json() == {
+        "error": "Failed to fetch resource from https://external-url.com/assets/index.html"
+    }