Vasanko/sanic
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Path protection with pathlib

Browse Source
This commit is contained in:
Adam Hopkins
2022-07-31 14:09:01 +03:00
parent b4360d4a20
commit 05002d7ee4
2 changed files with 36 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
tests/test_static.py
View File

@@ -404,11 +404,10 @@ def test_dotted_dir_ok(
app: Sanic, static_file_directory: str, double_dotted_directory_file: Path
):
app.static("/foo", static_file_directory)
url = (
"/foo"
+ str(double_dotted_directory_file)[len(static_file_directory) :]
dot_relative_path = str(
double_dotted_directory_file.relative_to(static_file_directory)
)
_, response = app.test_client.get(url)
_, response = app.test_client.get("/foo/" + dot_relative_path)
assert response.status == 200
assert response.body == b"DOT\n"
@@ -416,8 +415,11 @@ def test_dotted_dir_ok(
def test_breakout(app: Sanic, static_file_directory: str):
app.static("/foo", static_file_directory)
_, response = app.test_client.get("/foo/..%2Ffake/server.py")
assert response.status == 404
_, response = app.test_client.get("/foo/..%2Fstatic/test.file")
assert response.status == 400
assert response.status == 404
@pytest.mark.skipif(
@@ -429,6 +431,6 @@ def test_double_backslash_prohibited_on_win32(
app.static("/foo", static_file_directory)
_, response = app.test_client.get("/foo/static/..\\static/test.file")
assert response.status == 400
assert response.status == 404
_, response = app.test_client.get("/foo/static\\../static/test.file")
assert response.status == 400
assert response.status == 404