Django storages adding “;amp” to staticfiles query string parameter only for Django-jet files resulting in unauthorized access

Question

Some staticfiles links have wrong params, what i noticed that they are only related to "django-jet" package.

Normal Django staticfiles URL:

https://daal.nyc3.digitaloceanspaces.com/static/css/admin.css?AWSAccessKeyId=****&Signature=***&Expires=1694226003

Django JET staticfiles URL:

https://daal.nyc3.digitaloceanspaces.com/static/jet/css/icons/style.css?AWSAccessKeyId=*****&Signature=*****&Expires=1694226003&v=1.3.3

This is causing request headers to have invalid names:

Note sure what is causing this? I couldn't find out why

Setup Details

Used Packages

Django 4.2
django-storages[s3]==1.14
django-jet-reboot -> https://github.com/assem-ch/django-jet-reboot

How it should work I'm configuring django storages (using boto3) to serve staticfiles to DigitalOcean S3 Bucket, static files are found and properly served and accessed.

The issue happens for django-jet which is an admin "theme & functionality" package, it has it's own staticfiles within the package. Those files seems to be found and also uploaded successfully to my S3 bucket.. but the generated signed url for those files only has this weird behavior where special characters in header parameters are being escaped ( & -> & ).

Configurations:

Staticfiles Settings:

    # STATIC
# ------------------------------------------------------------------------------
# https://docs.djangoproject.com/en/dev/ref/settings/#static-root
STATIC_ROOT = str(ROOT_DIR / "staticfiles")
# https://docs.djangoproject.com/en/dev/ref/settings/#static-url
STATIC_URL = "/static/"
# https://docs.djangoproject.com/en/dev/ref/contrib/staticfiles/#std:setting-STATICFILES_DIRS
STATICFILES_DIRS = [str(APPS_DIR / "static")]
# https://docs.djangoproject.com/en/dev/ref/contrib/staticfiles/#staticfiles-finders
STATICFILES_FINDERS = [
    "django.contrib.staticfiles.finders.FileSystemFinder",
    "django.contrib.staticfiles.finders.AppDirectoriesFinder",
]

CSRF & X Frame options:

    SESSION_COOKIE_HTTPONLY = True
# https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
CSRF_COOKIE_HTTPONLY = True
# https://docs.djangoproject.com/en/dev/ref/settings/#secure-browser-xss-filter
SECURE_BROWSER_XSS_FILTER = True
# https://docs.djangoproject.com/en/dev/ref/settings/#x-frame-options
X_FRAME_OPTIONS = "SAMEORIGIN"

Related insight

When i run 'python manage.py collectstatic', it shows the following warning (I thought it's expected since JET overrides admin files and it's added above admin app in INSTALLED_APPS, so it's used first):

Found another file with the destination path 'admin/css/base.css'. It will be ignored since only the first encountered file is collected. If this is not what you want, make sure every static file has a unique path.
Found another file with the destination path 'admin/css/changelists.css'. It will be ignored since only the first encountered file is collected. If this is not what you want, make sure every static file has a unique path.
Found another file with the destination path 'admin/css/dashboard.css'. It will be ignored since only the first encountered file is collected. If this is not what you want, make sure every static file has a unique path.
Found another file with the destination path 'admin/css/forms.css'. It will be ignored since only the first encountered file is collected. If this is not what you want, make sure every static file has a unique path.
Found another file with the destination path 'admin/css/login.css'. It will be ignored since only the first encountered file is collected. If this is not what you want, make sure every static file has a unique path.
Found another file with the destination path 'admin/css/rtl.css'. It will be ignored since only the first encountered file is collected. If this is not what you want, make sure every static file has a unique path.
Found another file with the destination path 'admin/css/widgets.css'. It will be ignored since only the first encountered file is collected. If this is not what you want, make sure every static file has a unique path.
Found another file with the destination path 'admin/js/SelectFilter2.js'. It will be ignored since only the first encountered file is collected. If this is not what you want, make sure every static file has a unique path.
Found another file with the destination path 'admin/js/admin/DateTimeShortcuts.js'. It will be ignored since only the first encountered file is collected. If this is not what you want, make sure every static file has a unique path.
Found another file with the destination path 'admin/js/admin/RelatedObjectLookups.js'. It will be ignored since only the first encountered file is collected. If this is not what you want, make sure every static file has a unique path.

After checking their location using findstatic command:

django@daal-backend-54b5c99dc8-wnrdt:/app$ python manage.py findstatic admin/css/base.css admin/css/changelists.css admin/css/widgets.css admin/js/admin/RelatedObjectLookups.js
Found 'admin/css/base.css' here:
  /usr/local/lib/python3.10/site-packages/jet/static/admin/css/base.css
  /usr/local/lib/python3.10/site-packages/django/contrib/admin/static/admin/css/base.css
Found 'admin/css/changelists.css' here:
  /usr/local/lib/python3.10/site-packages/jet/static/admin/css/changelists.css
  /usr/local/lib/python3.10/site-packages/django/contrib/admin/static/admin/css/changelists.css
Found 'admin/css/widgets.css' here:
  /usr/local/lib/python3.10/site-packages/jet/static/admin/css/widgets.css
  /usr/local/lib/python3.10/site-packages/django/contrib/admin/static/admin/css/widgets.css
Found 'admin/js/admin/RelatedObjectLookups.js' here:
  /usr/local/lib/python3.10/site-packages/jet/static/admin/js/admin/RelatedObjectLookups.js
  /usr/local/lib/python3.10/site-packages/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js

Django storages adding “;amp” to staticfiles query string parameter only for Django-jet files resulting in unauthorized access

Setup Details

Configurations:

Related insight

Answers (1)

Related Questions