As an STT Data Analyst, I want to know if my file upload had a virus

amilash commented 3 years ago

Description

TDP scans files for viruses to ensure we don't accept any infected files into S3. Currently the message displayed to the user says "Request failed with status code 400" (see video below) when an infected file is submitted. This is not an actionable error message for the user. Instead, we need to tell the user that they have attempted to submit an infected file.

https://user-images.githubusercontent.com/63075587/175654982-3326777f-1add-4448-8977-d7851cac9ada.mov

Acceptance Criteria

[ ] when a user uploads an infected file, an error message indicating such is displayed

Tasks

[ ] update logic to conditionally display infected error message to user if infected file submitted
[ ] inline error messaging should read "We detected a corrupt file upload. Please review this section and re-submit the data file."
[ ] error message should appear inline to the section it is referring to

Design

See attachment

reitermb commented 3 years ago

Noting that we have patterns for related upload errors, though it sounds like we might need to revisit a few of them for blank file. Does a malicious file need a dedicated message or does the wrong format error work for that (cc @ADPennington)

amilash commented 3 years ago

Will let @ADPennington confirm, but I think the idea is for the user to have a specific knowledge of why the error happened and the resulting non upload. More along the lines of.. "your file was not submitted b/c we detected a risk issue with the file type and we don't accept that kind of file" or "your file was not submitted because we detected that it is an empty file and we do not accept that type of file".

andrew-jameson commented 2 years ago

@reitermb Should I tag this as 'research and design' or should dev team decide on the messaging here?

stevenino commented 2 years ago

@ADPennington @ttran-hub what is the system admin ask here?

lfrohlich commented 2 years ago

From @ADPennington : This is supposed to deliver missing error messaging to the user for file uploads. Currently:

if a virus is detected by clamav, the submit button will not work but the user will not know why. the sys admin can see this on the backend but will have to search for this because there is no automated notification built in to alert us of this issue.
if a user uploaded a file that is blank (no content), a 400 bad request error is returned upon clicking submit but that is not a meaningful error message for the user. the sys admin will not be able to see this from TDP. cloud.gov logs is the only place where the 400 error is visible to the sys admin and even then we will not know what the root cause is.

i think Angela was suggesting that the engineering work should include creating a file status field that would take on a specific value based on the error detected (if any) upon submission. this new field would then be used to trigger certain notifications to the user and also the system admin (but the latter doesn't need to happen at this stage since the user would have a meaningful error message to resolve their upload problem).

ADPennington commented 2 years ago

updated this ticket to focus on error message for submitting infected files.

raft-tech / TANF-app