From 7d457a24851167a6cfcee92ece2df3241493e617 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juan=20Garc=C3=ADa?= <jmgarcia@iriusrisk.com>
Date: Thu, 10 Jul 2025 11:28:47 +0200
Subject: [PATCH 1/2] [BLAZ-2197] Enhance DrawIO loader to handle multi-page
 diagrams and update schema

---
 .../resources/schemas/drawio_schema.xsd       |  9 ++++
 slp_drawio/slp_drawio/load/drawio_loader.py   |  4 +-
 .../tests/unit/load/test_drawio_loader.py     |  4 +-
 .../controllers/diagram/drawio/__init__.py    |  0
 .../test_otm_controller_diagram_drawio.py     | 50 +++++++++++++++++++
 .../resources/drawio/drawio-multi-page.drawio | 24 +++++++++
 tests/resources/drawio/drawio_mapping.yaml    |  8 +++
 tests/resources/test_resource_paths.py        |  4 ++
 8 files changed, 99 insertions(+), 4 deletions(-)
 create mode 100644 tests/integration/api/controllers/diagram/drawio/__init__.py
 create mode 100644 tests/integration/api/controllers/diagram/drawio/test_otm_controller_diagram_drawio.py
 create mode 100644 tests/resources/drawio/drawio-multi-page.drawio
 create mode 100644 tests/resources/drawio/drawio_mapping.yaml

diff --git a/slp_drawio/resources/schemas/drawio_schema.xsd b/slp_drawio/resources/schemas/drawio_schema.xsd
index 85684eac..f4fe0dda 100644
--- a/slp_drawio/resources/schemas/drawio_schema.xsd
+++ b/slp_drawio/resources/schemas/drawio_schema.xsd
@@ -15,6 +15,7 @@
         <xs:attribute type="xs:string" name="edge"/>
         <xs:attribute type="xs:string" name="connectable"/>
         <xs:attribute type="xs:string" name="isThumb"/>
+        <xs:anyAttribute processContents="lax"/>
     </xs:complexType>
     <xs:complexType name="mxRectangleType">
         <xs:simpleContent>
@@ -22,6 +23,7 @@
                 <xs:attribute type="xs:string" name="width"/>
                 <xs:attribute type="xs:string" name="height"/>
                 <xs:attribute type="xs:string" name="as"/>
+                <xs:anyAttribute processContents="lax"/>
             </xs:extension>
         </xs:simpleContent>
     </xs:complexType>
@@ -37,6 +39,7 @@
         <xs:attribute type="xs:string" name="height"/>
         <xs:attribute type="xs:string" name="as"/>
         <xs:attribute type="xs:string" name="relative"/>
+        <xs:anyAttribute processContents="lax"/>
     </xs:complexType>
     <xs:complexType name="mxPointType">
         <xs:simpleContent>
@@ -44,6 +47,7 @@
                 <xs:attribute type="xs:string" name="x"/>
                 <xs:attribute type="xs:string" name="y"/>
                 <xs:attribute type="xs:string" name="as"/>
+                <xs:anyAttribute processContents="lax"/>
             </xs:extension>
         </xs:simpleContent>
     </xs:complexType>
@@ -52,6 +56,7 @@
             <xs:element type="mxPointType" name="mxPoint" maxOccurs="unbounded" minOccurs="0"/>
         </xs:sequence>
         <xs:attribute type="xs:string" name="as"/>
+        <xs:anyAttribute processContents="lax"/>
     </xs:complexType>
     <xs:complexType name="objectType">
         <xs:sequence>
@@ -67,6 +72,7 @@
         <xs:attribute type="xs:string" name="tags"/>
         <xs:attribute type="xs:string" name="ir.sourceStyle"/>
         <xs:attribute type="xs:string" name="ir.description"/>
+        <xs:anyAttribute processContents="lax"/>
     </xs:complexType>
 
     <xs:complexType name="rootType">
@@ -98,6 +104,7 @@
         <xs:attribute type="xs:string" name="background"/>
         <xs:attribute type="xs:string" name="irDrawioVersion"/>
         <xs:attribute type="xs:string" name="irIriusRiskVersion"/>
+        <xs:anyAttribute processContents="lax"/>
     </xs:complexType>
     <xs:complexType name="diagramType" mixed="true">
         <xs:sequence minOccurs="0" maxOccurs="unbounded">
@@ -106,6 +113,7 @@
         <xs:attribute type="xs:string" name="id"/>
         <xs:attribute type="xs:string" name="name"/>
         <xs:attribute type="xs:string" name="isThumb"/>
+        <xs:anyAttribute processContents="lax"/>
     </xs:complexType>
     <xs:complexType name="mxfileType">
         <xs:sequence maxOccurs="unbounded">
@@ -118,5 +126,6 @@
         <xs:attribute type="xs:string" name="version"/>
         <xs:attribute type="xs:string" name="type"/>
         <xs:attribute type="xs:string" name="pages"/>
+        <xs:anyAttribute processContents="lax"/>
     </xs:complexType>
 </xs:schema>
\ No newline at end of file
diff --git a/slp_drawio/slp_drawio/load/drawio_loader.py b/slp_drawio/slp_drawio/load/drawio_loader.py
index 20ef1d54..0dce7e38 100644
--- a/slp_drawio/slp_drawio/load/drawio_loader.py
+++ b/slp_drawio/slp_drawio/load/drawio_loader.py
@@ -30,8 +30,8 @@ def load(self):
 
             if is_multiple_pages(source_dict):
                 raise LoadingDiagramFileError(
-                    'Diagram file is not valid', 'Diagram File is not compatible',
-                    'DrawIO processor does not accept diagrams with multiple pages')
+                    'Diagram file is not valid', 'DrawIO processor does not accept diagrams with multiple pages',
+                    'Diagram File is not compatible')
 
             representation: DiagramRepresentation = DiagramRepresentationLoader(self.project_id, source_dict).load()
             components: [DiagramComponent] = DiagramComponentLoader(self.project_id, source_dict).load()
diff --git a/slp_drawio/tests/unit/load/test_drawio_loader.py b/slp_drawio/tests/unit/load/test_drawio_loader.py
index 7a6fd95c..be0de183 100644
--- a/slp_drawio/tests/unit/load/test_drawio_loader.py
+++ b/slp_drawio/tests/unit/load/test_drawio_loader.py
@@ -49,8 +49,8 @@ def test_multiple_pages_drawio(self, to_dict_mock):
 
         # AND the error has the following messages
         assert str(error.value.title) == 'Diagram file is not valid'
-        assert str(error.value.detail) == 'Diagram File is not compatible'
-        assert str(error.value.message) == 'DrawIO processor does not accept diagrams with multiple pages'
+        assert str(error.value.detail) == 'DrawIO processor does not accept diagrams with multiple pages'
+        assert str(error.value.message) == 'Diagram File is not compatible'
 
     @patch('slp_drawio.slp_drawio.load.drawio_loader.DrawIOToDict')
     def test_uncontrolled_exception(self, map_mock):
diff --git a/tests/integration/api/controllers/diagram/drawio/__init__.py b/tests/integration/api/controllers/diagram/drawio/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/integration/api/controllers/diagram/drawio/test_otm_controller_diagram_drawio.py b/tests/integration/api/controllers/diagram/drawio/test_otm_controller_diagram_drawio.py
new file mode 100644
index 00000000..e0b3de9f
--- /dev/null
+++ b/tests/integration/api/controllers/diagram/drawio/test_otm_controller_diagram_drawio.py
@@ -0,0 +1,50 @@
+import json
+
+import responses
+from fastapi.testclient import TestClient
+
+from sl_util.sl_util.file_utils import get_byte_data
+from startleft.startleft.api import fastapi_server
+from startleft.startleft.api.controllers.diagram import diag_create_otm_controller
+from tests.resources import test_resource_paths
+
+webapp = fastapi_server.webapp
+
+client = TestClient(webapp)
+
+json_mime = 'application/json'
+
+
+def get_url():
+    return diag_create_otm_controller.PREFIX + diag_create_otm_controller.URL
+
+
+class TestOTMControllerDiagramDrawio:
+
+    @responses.activate
+    def test_create_otm_multi_page_error(self):
+        # Given a project_id
+        project_id: str = 'test_multi_page_error'
+
+        # And the multi-page source file
+        diag_file = get_byte_data(test_resource_paths.drawio_multi_page)
+
+        # And the mapping file
+        mapping_file = get_byte_data(test_resource_paths.default_drawio_mapping)
+
+        # When I do post on diagram endpoint
+        files = {'diag_file': (test_resource_paths.drawio_multi_page, diag_file),
+                 'default_mapping_file': mapping_file}
+        body = {'diag_type': 'DRAWIO', 'id': project_id, 'name': project_id}
+        response = client.post(get_url(), files=files, data=body)
+
+        # Then the error is returned inside the response as JSON
+        assert response.status_code == 400
+        assert response.headers.get('content-type') == json_mime
+        body_response = json.loads(response.text)
+        assert body_response['status'] == '400'
+        assert body_response['error_type'] == 'LoadingDiagramFileError'
+        assert body_response['title'] == 'Diagram file is not valid'
+        assert body_response['detail'] == 'DrawIO processor does not accept diagrams with multiple pages'
+        assert len(body_response['errors']) == 1
+        assert body_response['errors'][0]['errorMessage'] == 'Diagram File is not compatible'
\ No newline at end of file
diff --git a/tests/resources/drawio/drawio-multi-page.drawio b/tests/resources/drawio/drawio-multi-page.drawio
new file mode 100644
index 00000000..b9d9da46
--- /dev/null
+++ b/tests/resources/drawio/drawio-multi-page.drawio
@@ -0,0 +1,24 @@
+<mxfile host="app.diagrams.net" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36" version="27.2.0" pages="2">
+  <diagram name="Page-1" id="NHamhjWDUShnQPZS_tjJ">
+    <mxGraphModel dx="1360" dy="759" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="oIuigeCgWeqKkfeAyARH-1" value="Actor" style="shape=umlActor;verticalLabelPosition=bottom;verticalAlign=top;html=1;outlineConnect=0;" vertex="1" parent="1">
+          <mxGeometry x="400" y="360" width="30" height="60" as="geometry" />
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+  <diagram id="IT3KZz858hmL_lO97gz0" name="Page-2">
+    <mxGraphModel dx="1360" dy="759" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="q-8QwIFsANUwpjPXbaEn-1" value="Actor" style="shape=umlActor;verticalLabelPosition=bottom;verticalAlign=top;html=1;outlineConnect=0;" vertex="1" parent="1">
+          <mxGeometry x="400" y="360" width="30" height="60" as="geometry" />
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>
diff --git a/tests/resources/drawio/drawio_mapping.yaml b/tests/resources/drawio/drawio_mapping.yaml
new file mode 100644
index 00000000..f70cec77
--- /dev/null
+++ b/tests/resources/drawio/drawio_mapping.yaml
@@ -0,0 +1,8 @@
+trustzones:
+  - default: true
+    label: Internet (default)
+    type: f0ba7722-39b6-4c81-8290-a30a248bb8d9
+
+components:
+  - label: label
+    type: type
\ No newline at end of file
diff --git a/tests/resources/test_resource_paths.py b/tests/resources/test_resource_paths.py
index 247cffee..e33acaae 100644
--- a/tests/resources/test_resource_paths.py
+++ b/tests/resources/test_resource_paths.py
@@ -125,3 +125,7 @@
 # MTMT
 mtmt_mapping_file_valid = f'{path}/mtmt/mapping_example.yaml'
 mtmt_mapping_file_invalid = f'{path}/mtmt/mapping_example_invalid.yaml'
+
+# DRAWIO
+drawio_multi_page = f'{path}/drawio/drawio-multi-page.drawio'
+default_drawio_mapping = f'{path}/drawio/drawio_mapping.yaml'

From ad8cd556170802d236509e1288ec604497c6b611 Mon Sep 17 00:00:00 2001
From: Santi Manero <smanero@iriusrisk.com>
Date: Tue, 22 Jul 2025 09:13:13 +0200
Subject: [PATCH 2/2] [BLAZ-2269] Upgraded fastapi due to CVE-2025-54121

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index a02cefeb..0d0d6a9e 100644
--- a/setup.py
+++ b/setup.py
@@ -22,7 +22,7 @@
         'jmespath==1.0.1',
         'python-hcl2==4.3.2',
         'requests==2.32.4',
-        'fastapi>=0.115.2,<0.116.0',
+        'fastapi>=0.116.1,<0.117.0',
         "python-multipart==0.0.19",
         'click==8.1.7',
         'uvicorn==0.23.2',