Show More
| @@ -35,6 +35,16 b' def _make_dir(contents_manager, api_path):' | |||
|
|
35 | 35 | |
|
|
36 | 36 | class TestFileContentsManager(TestCase): |
|
|
37 | 37 | |
|
|
38 | @contextmanager | |
|
|
39 | def assertRaisesHTTPError(self, status, msg=None): | |
|
|
40 | msg = msg or "Should have raised HTTPError(%i)" % status | |
|
|
41 | try: | |
|
|
42 | yield | |
|
|
43 | except HTTPError as e: | |
|
|
44 | self.assertEqual(e.status_code, status) | |
|
|
45 | else: | |
|
|
46 | self.fail(msg) | |
|
|
47 | ||
|
|
38 | 48 | def symlink(self, contents_manager, src, dst): |
|
|
39 | 49 | """Make a symlink to src from dst |
|
|
40 | 50 | |
| @@ -153,6 +163,30 b' class TestFileContentsManager(TestCase):' | |||
|
|
153 | 163 | else: |
|
|
154 | 164 | self.fail("Should have raised HTTPError(403)") |
|
|
155 | 165 | |
|
|
166 | def test_escape_root(self): | |
|
|
167 | with TemporaryDirectory() as td: | |
|
|
168 | cm = FileContentsManager(root_dir=td) | |
|
|
169 | # make foo, bar next to root | |
|
|
170 | with open(os.path.join(cm.root_dir, '..', 'foo'), 'w') as f: | |
|
|
171 | f.write('foo') | |
|
|
172 | with open(os.path.join(cm.root_dir, '..', 'bar'), 'w') as f: | |
|
|
173 | f.write('bar') | |
|
|
174 | ||
|
|
175 | with self.assertRaisesHTTPError(404): | |
|
|
176 | cm.get('..') | |
|
|
177 | with self.assertRaisesHTTPError(404): | |
|
|
178 | cm.get('foo/../../../bar') | |
|
|
179 | with self.assertRaisesHTTPError(404): | |
|
|
180 | cm.delete('../foo') | |
|
|
181 | with self.assertRaisesHTTPError(404): | |
|
|
182 | cm.rename('../foo', '../bar') | |
|
|
183 | with self.assertRaisesHTTPError(404): | |
|
|
184 | cm.save(model={ | |
|
|
185 | 'type': 'file', | |
|
|
186 | 'content': u'', | |
|
|
187 | 'format': 'text', | |
|
|
188 | }, path='../foo') | |
|
|
189 | ||
|
|
156 | 190 | |
|
|
157 | 191 | class TestContentsManager(TestCase): |
|
|
158 | 192 | |
| @@ -166,16 +200,6 b' class TestContentsManager(TestCase):' | |||
|
|
166 | 200 | def tearDown(self): |
|
|
167 | 201 | self._temp_dir.cleanup() |
|
|
168 | 202 | |
|
|
169 | @contextmanager | |
|
|
170 | def assertRaisesHTTPError(self, status, msg=None): | |
|
|
171 | msg = msg or "Should have raised HTTPError(%i)" % status | |
|
|
172 | try: | |
|
|
173 | yield | |
|
|
174 | except HTTPError as e: | |
|
|
175 | self.assertEqual(e.status_code, status) | |
|
|
176 | else: | |
|
|
177 | self.fail(msg) | |
|
|
178 | ||
|
|
179 | 203 | def make_dir(self, api_path): |
|
|
180 | 204 | """make a subdirectory at api_path |
|
|
181 | 205 | |
| @@ -472,29 +496,3 b' class TestContentsManager(TestCase):' | |||
|
|
472 | 496 | cm.mark_trusted_cells(nb, path) |
|
|
473 | 497 | cm.check_and_sign(nb, path) |
|
|
474 | 498 | assert cm.notary.check_signature(nb) |
|
|
475 | ||
|
|
476 | def test_escape_root(self): | |
|
|
477 | cm = self.contents_manager | |
|
|
478 | # make foo, bar next to root | |
|
|
479 | with open(os.path.join(cm.root_dir, '..', 'foo'), 'w') as f: | |
|
|
480 | f.write('foo') | |
|
|
481 | with open(os.path.join(cm.root_dir, '..', 'bar'), 'w') as f: | |
|
|
482 | f.write('bar') | |
|
|
483 | ||
|
|
484 | with self.assertRaisesHTTPError(404): | |
|
|
485 | cm.get('..') | |
|
|
486 | with self.assertRaisesHTTPError(404): | |
|
|
487 | cm.get('foo/../../../bar') | |
|
|
488 | with self.assertRaisesHTTPError(404): | |
|
|
489 | cm.delete('../foo') | |
|
|
490 | with self.assertRaisesHTTPError(404): | |
|
|
491 | cm.rename('../foo', '../bar') | |
|
|
492 | with self.assertRaisesHTTPError(404): | |
|
|
493 | cm.save(model={ | |
|
|
494 | 'type': 'file', | |
|
|
495 | 'content': u'', | |
|
|
496 | 'format': 'text', | |
|
|
497 | }, path='../foo') | |
|
|
498 | ||
|
|
499 | ||
|
|
500 | ||
General Comments 0
You need to be logged in to leave comments.
Login now