Fix traversals for intended results (#2728)
This commit is contained in:
Adam Hopkins
GitHub
parent
e374409567
commit
049983cb70
2
.github/workflows/codeql-analysis.yml
vendored
2
.github/workflows/codeql-analysis.yml
vendored
|
|
@ -4,10 +4,12 @@ on:
|
|||
push:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
schedule:
|
||||
|
|
|
|||
2
.github/workflows/coverage.yml
vendored
2
.github/workflows/coverage.yml
vendored
|
|
@ -3,12 +3,14 @@ on:
|
|||
push:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
tags:
|
||||
- "!*" # Do not execute on tags
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
jobs:
|
||||
test:
|
||||
|
|
|
|||
1
.github/workflows/pr-bandit.yml
vendored
1
.github/workflows/pr-bandit.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
|||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
|
||||
|
|
|
|||
1
.github/workflows/pr-docs.yml
vendored
1
.github/workflows/pr-docs.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
|||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
|
||||
|
|
|
|||
1
.github/workflows/pr-linter.yml
vendored
1
.github/workflows/pr-linter.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
|||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
|
||||
|
|
|
|||
1
.github/workflows/pr-python310.yml
vendored
1
.github/workflows/pr-python310.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
|||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
|
||||
|
|
|
|||
1
.github/workflows/pr-python311.yml
vendored
1
.github/workflows/pr-python311.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
|||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
|
||||
|
|
|
|||
1
.github/workflows/pr-python37.yml
vendored
1
.github/workflows/pr-python37.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
|||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
|
||||
|
|
|
|||
1
.github/workflows/pr-python38.yml
vendored
1
.github/workflows/pr-python38.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
|||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
|
||||
|
|
|
|||
1
.github/workflows/pr-python39.yml
vendored
1
.github/workflows/pr-python39.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
|||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
|
||||
|
|
|
|||
1
.github/workflows/pr-type-check.yml
vendored
1
.github/workflows/pr-type-check.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
|||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
|
||||
|
|
|
|||
1
.github/workflows/pr-windows.yml
vendored
1
.github/workflows/pr-windows.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
|||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- current-release
|
||||
- "*LTS"
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
__version__ = "23.3.0"
|
||||
__version__ = "23.3.1"
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ class StaticMixin(BaseMixin, metaclass=SanicMeta):
|
|||
)
|
||||
|
||||
try:
|
||||
file_or_directory = Path(file_or_directory)
|
||||
file_or_directory = Path(file_or_directory).resolve()
|
||||
except TypeError:
|
||||
raise TypeError(
|
||||
"Static file or directory must be a path-like object or string"
|
||||
|
|
|
|||
|
|
@ -101,6 +101,31 @@ def test_static_file_pathlib(app, static_file_directory, file_name):
|
|||
assert response.body == get_file_content(static_file_directory, file_name)
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"file_name",
|
||||
[
|
||||
"test.file",
|
||||
"decode me.txt",
|
||||
"python.png",
|
||||
"symlink",
|
||||
"hard_link",
|
||||
],
|
||||
)
|
||||
def test_static_file_pathlib_relative_path_traversal(
|
||||
app, static_file_directory, file_name
|
||||
):
|
||||
"""Get the current working directory and check if it ends with "sanic" """
|
||||
cwd = Path.cwd()
|
||||
if not str(cwd).endswith("sanic"):
|
||||
pytest.skip("Current working directory does not end with 'sanic'")
|
||||
|
||||
file_path = "./tests/static/../static/"
|
||||
app.static("/", file_path)
|
||||
_, response = app.test_client.get(f"/{file_name}")
|
||||
assert response.status == 200
|
||||
assert response.body == get_file_content(static_file_directory, file_name)
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"file_name",
|
||||
[b"test.file", b"decode me.txt", b"python.png"],
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user