Vasanko/sanic
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Fix traversals for intended results (#2728)

Browse Source
This commit is contained in:
Adam Hopkins 2023-07-09 09:21:39 +03:00 committed by GitHub
parent e374409567
commit 049983cb70
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/codeql-analysis.yml vendored
View File

@ -4,10 +4,12 @@ on:
push: push:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
types: [opened, synchronize, reopened, ready_for_review] types: [opened, synchronize, reopened, ready_for_review]
schedule: schedule:

2
.github/workflows/coverage.yml vendored
View File

@ -3,12 +3,14 @@ on:
push: push:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
tags: tags:
- "!*" # Do not execute on tags - "!*" # Do not execute on tags
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
jobs: jobs:
test: test:

1
.github/workflows/pr-bandit.yml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
types: [opened, synchronize, reopened, ready_for_review] types: [opened, synchronize, reopened, ready_for_review]

1
.github/workflows/pr-docs.yml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
types: [opened, synchronize, reopened, ready_for_review] types: [opened, synchronize, reopened, ready_for_review]

1
.github/workflows/pr-linter.yml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
types: [opened, synchronize, reopened, ready_for_review] types: [opened, synchronize, reopened, ready_for_review]

1
.github/workflows/pr-python310.yml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
types: [opened, synchronize, reopened, ready_for_review] types: [opened, synchronize, reopened, ready_for_review]

1
.github/workflows/pr-python311.yml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
types: [opened, synchronize, reopened, ready_for_review] types: [opened, synchronize, reopened, ready_for_review]

1
.github/workflows/pr-python37.yml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
types: [opened, synchronize, reopened, ready_for_review] types: [opened, synchronize, reopened, ready_for_review]

1
.github/workflows/pr-python38.yml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
types: [opened, synchronize, reopened, ready_for_review] types: [opened, synchronize, reopened, ready_for_review]

1
.github/workflows/pr-python39.yml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
types: [opened, synchronize, reopened, ready_for_review] types: [opened, synchronize, reopened, ready_for_review]

1
.github/workflows/pr-type-check.yml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
types: [opened, synchronize, reopened, ready_for_review] types: [opened, synchronize, reopened, ready_for_review]

1
.github/workflows/pr-windows.yml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
- current-release
- "*LTS" - "*LTS"
types: [opened, synchronize, reopened, ready_for_review] types: [opened, synchronize, reopened, ready_for_review]

2
sanic/__version__.py
View File

@ -1 +1 @@
__version__ = "23.3.0" __version__ = "23.3.1"

2
sanic/mixins/static.py
View File

@ -95,7 +95,7 @@ class StaticMixin(BaseMixin, metaclass=SanicMeta):
) )
try: try:
file_or_directory = Path(file_or_directory) file_or_directory = Path(file_or_directory).resolve()
except TypeError: except TypeError:
raise TypeError( raise TypeError(
"Static file or directory must be a path-like object or string" "Static file or directory must be a path-like object or string"

25
tests/test_static.py
View File

@ -101,6 +101,31 @@ def test_static_file_pathlib(app, static_file_directory, file_name):
assert response.body == get_file_content(static_file_directory, file_name) assert response.body == get_file_content(static_file_directory, file_name)
@pytest.mark.parametrize(
"file_name",
[
"test.file",
"decode me.txt",
"python.png",
"symlink",
"hard_link",
],
)
def test_static_file_pathlib_relative_path_traversal(
app, static_file_directory, file_name
):
"""Get the current working directory and check if it ends with "sanic" """
cwd = Path.cwd()
if not str(cwd).endswith("sanic"):
pytest.skip("Current working directory does not end with 'sanic'")
file_path = "./tests/static/../static/"
app.static("/", file_path)
_, response = app.test_client.get(f"/{file_name}")
assert response.status == 200
assert response.body == get_file_content(static_file_directory, file_name)
@pytest.mark.parametrize( @pytest.mark.parametrize(
"file_name", "file_name",
[b"test.file", b"decode me.txt", b"python.png"], [b"test.file", b"decode me.txt", b"python.png"],