Evidence download URL missing from GraphQL export #599

eldstal · 2025-03-21T10:08:22Z

Describe the bug
Exporting a report via the GraphQL mutation generateReport used to (in v4.0.1) include a field url for each evidence object, which allowed a client with an API key to download the associated evidence file. The url field has been removed. The current (v5.0.5) API returns a path which does not appear to be a valid URL to the file.

The front-end uses a URL on the form /reporting/evidence/download/<id> which is not accessible using an API key.

To Reproduce
Steps to reproduce the behavior:

Perform a GraphQL query such as generateReport(1) { reportData } or evidence { document }

Expected Behavior
Receive a URL to download the evidence file (or a data blob via GraphQL, similar to what uploadEvidence() accepts?)

Screenshots
none

Additional context
It could be that I've missed the proper way to do this, but I can't see anything in the GraphQL schema which appears relevant to solving the issue.

Alternatively, the path returned in the current API export is actually correct and I've misunderstood how to use it.

If there is already a solution in the API, feel free to close the issue.

Thank you for the great work, GhostWriter has been a very useful tool ever since we started using it!

The text was updated successfully, but these errors were encountered:

chrismaddalena · 2025-03-25T17:23:40Z

GraphQL does not handle files, so the generateReport mutation's approach is a base64 blob for the JSON document. You can also request URLs you can visit in your web browser for docx, pptx, or xlsx downloads, but they won't work with an API token.

It sounds like what you were doing was:

Run generateReport
Decode the base64 blob
Access the evidence key and try to download the file with the information in there

That last step would actually have used a bug and potential security issue that we closed in v4.0.5 in Jan 2024. The /media location in Nginx was not being protected by the Django back-end so you could request a media file, like evidence, if you knew the report ID and the name of an evidence file on that report.

GHSA-p796-9863-mwx8

You can query evidence to pull all evidence entries or a filtered set, but Ghostwriter doesn't offer any way to download evidence files via the GraphQL API because of the lack of support for files. This would require creating a custom endpoint that could return a base64 blob. That's something we can consider adding.

eldstal · 2025-03-26T09:39:35Z

Thanks for clarifying!

That is indeed what we were doing in the old version, not knowing we were intruders in our own system :D

It would certainly be useful for an API client to be able to get the evidence file contents as well. This would allow automation tools to export the full report contents one way or another for further processing.

We've got a workaround for the time being (automation script requires a regular browser session token to download evidence), but it is not as elegant as the current API key setup.

Thanks for considering the change!

chrismaddalena · 2025-03-28T19:20:50Z

Yep, sure thing! I'll look into adding an endpoint for downloading evidence files like we added for uploading them.

eldstal added the bug Something isn't working label Mar 21, 2025

eldstal assigned chrismaddalena Mar 21, 2025

chrismaddalena added enhancement New feature or request and removed bug Something isn't working labels Mar 25, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Evidence download URL missing from GraphQL export #599

Evidence download URL missing from GraphQL export #599

Evidence download URL missing from GraphQL export #599

Evidence download URL missing from GraphQL export #599

Comments