From 0a3954a5f89ea1dc440069a9b4fa2127365ccf6f Mon Sep 17 00:00:00 2001
From: Barry GIBNEY <Barry.GIBNEY@education.gov.uk>
Date: Tue, 26 Nov 2024 07:16:07 +0000
Subject: [PATCH 1/2] Check Guid.Id to validate the Id parameter

---
 Web/Edubase.Web.UI/Controllers/DownloadsController.cs | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Web/Edubase.Web.UI/Controllers/DownloadsController.cs b/Web/Edubase.Web.UI/Controllers/DownloadsController.cs
index 6620322af..823cf131d 100644
--- a/Web/Edubase.Web.UI/Controllers/DownloadsController.cs
+++ b/Web/Edubase.Web.UI/Controllers/DownloadsController.cs
@@ -137,6 +137,17 @@ public async Task<ActionResult> GenerateAjax(Guid id)
         public async Task<ActionResult> DownloadGenerated(Guid id, bool isExtract = false)
         {
             var model = new ProgressDto();
+
+            if (id == Guid.Empty)
+            {
+                model.Error = "The download could not be started because the provided link is invalid";
+                return View("Downloads/DownloadError", new DownloadErrorViewModel
+                {
+                    ReturnSource = isExtract ? eDownloadReturnSource.Extracts : eDownloadReturnSource.Downloads,
+                    NeedsRegenerating = false
+                });
+            }
+
             try
             {
                 model = isExtract

From b6fb0520e386988a5dcedee6f5aa3eb28bd27ec7 Mon Sep 17 00:00:00 2001
From: Barry GIBNEY <Barry.GIBNEY@education.gov.uk>
Date: Tue, 7 Jan 2025 09:34:35 +0000
Subject: [PATCH 2/2] Change to verify the Guid

---
 .../Controllers/DownloadsController.cs            | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/Web/Edubase.Web.UI/Controllers/DownloadsController.cs b/Web/Edubase.Web.UI/Controllers/DownloadsController.cs
index 823cf131d..a197d98bd 100644
--- a/Web/Edubase.Web.UI/Controllers/DownloadsController.cs
+++ b/Web/Edubase.Web.UI/Controllers/DownloadsController.cs
@@ -14,6 +14,7 @@
 using Edubase.Web.UI.Helpers;
 using System.Linq;
 using System.Net.Http;
+using System.Web.Http.Results;
 using System.Web.Routing;
 using Edubase.Services;
 using Edubase.Services.Downloads.Models;
@@ -134,25 +135,23 @@ public async Task<ActionResult> GenerateAjax(Guid id)
         }
 
         [Route("Generated/{id}", Name = "DownloadGenerated")]
-        public async Task<ActionResult> DownloadGenerated(Guid id, bool isExtract = false)
+        public async Task<ActionResult> DownloadGenerated(string id, bool isExtract = false)
         {
-            var model = new ProgressDto();
-
-            if (id == Guid.Empty)
+            if (!Guid.TryParse(id, out Guid parsedId))
             {
-                model.Error = "The download could not be started because the provided link is invalid";
                 return View("Downloads/DownloadError", new DownloadErrorViewModel
                 {
+                    NeedsRegenerating = false,
                     ReturnSource = isExtract ? eDownloadReturnSource.Extracts : eDownloadReturnSource.Downloads,
-                    NeedsRegenerating = false
                 });
             }
 
+            var model = new ProgressDto();
             try
             {
                 model = isExtract
-                    ? await _downloadsService.GetProgressOfScheduledExtractGenerationAsync(id, User)
-                    : await _downloadsService.GetProgressOfGeneratedExtractAsync(id, User);
+                    ? await _downloadsService.GetProgressOfScheduledExtractGenerationAsync(parsedId, User)
+                    : await _downloadsService.GetProgressOfGeneratedExtractAsync(parsedId, User);
             }
             catch (Exception ex)
             {