Path protection with pathlib

2022-07-31 13:26:11 +03:00
parent 3b85b3bbad
commit b4360d4a20
3 changed files with 79 additions and 17 deletions
--- a/tests/test_static.py
+++ b/tests/test_static.py
@@ -1,10 +1,14 @@
 import inspect
 import os
+import sys

+from pathlib import Path
 from time import gmtime, strftime

 import pytest

+from sanic.app import Sanic
+

@pytest.fixture(scope="module")
 def static_file_directory():
@@ -15,6 +19,22 @@ def static_file_directory():
    return static_directory


+@pytest.fixture(scope="module")
+def double_dotted_directory_file(static_file_directory: str):
+    """Generate double dotted directory and its files"""
+    if sys.platform == "win32":
+        raise Exception("Windows doesn't support double dotted directories")
+
+    file_path = Path(static_file_directory) / "dotted.." / "dot.txt"
+    double_dotted_dir = file_path.parent
+    Path.mkdir(double_dotted_dir, exist_ok=True)
+    with open(file_path, "w") as f:
+        f.write("DOT\n")
+    yield file_path
+    Path.unlink(file_path)
+    Path.rmdir(double_dotted_dir)
+
+
 def get_file_path(static_file_directory, file_name):
    return os.path.join(static_file_directory, file_name)

@@ -374,3 +394,41 @@ def test_static_name(app, static_file_directory, static_name, file_name):
    request, response = app.test_client.get(f"/static/{file_name}")

    assert response.status == 200
+
+
+@pytest.mark.skipif(
+    sys.platform == "win32",
+    reason="Windows does not support double dotted directories",
+)
+def test_dotted_dir_ok(
+    app: Sanic, static_file_directory: str, double_dotted_directory_file: Path
+):
+    app.static("/foo", static_file_directory)
+    url = (
+        "/foo"
+        + str(double_dotted_directory_file)[len(static_file_directory) :]
+    )
+    _, response = app.test_client.get(url)
+    assert response.status == 200
+    assert response.body == b"DOT\n"
+
+
+def test_breakout(app: Sanic, static_file_directory: str):
+    app.static("/foo", static_file_directory)
+
+    _, response = app.test_client.get("/foo/..%2Fstatic/test.file")
+    assert response.status == 400
+
+
+@pytest.mark.skipif(
+    sys.platform != "win32", reason="Block backslash on Windows only"
+)
+def test_double_backslash_prohibited_on_win32(
+    app: Sanic, static_file_directory: str
+):
+    app.static("/foo", static_file_directory)
+
+    _, response = app.test_client.get("/foo/static/..\\static/test.file")
+    assert response.status == 400
+    _, response = app.test_client.get("/foo/static\\../static/test.file")
+    assert response.status == 400