def test_download_http_url__no_directory_traversal(mock_raise_for_status: Mock,
tmpdir: Path) -> None:
"""
Test that directory traversal doesn't happen on download when the
Content-Disposition header contains a filename with a ".." path part.
"""
mock_url = "http://www.example.com/whatever.tgz"
contents = b"downloaded"
link = Link(mock_url)
session = Mock()
resp = MockResponse(contents)
resp.url = mock_url
resp.headers = {
# Set the content-type to a random value to prevent
# mimetypes.guess_extension from guessing the extension.
"content-type": "random",
"content-disposition": 'attachment;filename="../out_dir_file"',
}
session.get.return_value = resp
download = Downloader(session, progress_bar="on")
download_dir = os.fspath(tmpdir.joinpath("download"))
os.mkdir(download_dir)
file_path, content_type = download(link, download_dir)
# The file should be downloaded to download_dir.
actual = os.listdir(download_dir)
assert actual == ["out_dir_file"]
mock_raise_for_status.assert_called_once_with(resp)
def test_download_http_url__no_directory_traversal(tmpdir):
"""
Test that directory traversal doesn't happen on download when the
Content-Disposition header contains a filename with a ".." path part.
"""
mock_url = 'http://www.example.com/whatever.tgz'
contents = b'downloaded'
link = Link(mock_url)
session = Mock()
resp = MockResponse(contents)
resp.url = mock_url
resp.headers = {
# Set the content-type to a random value to prevent
# mimetypes.guess_extension from guessing the extension.
'content-type': 'random',
'content-disposition': 'attachment;filename="../out_dir_file"'
}
session.get.return_value = resp
downloader = Downloader(session, progress_bar="on")
download_dir = tmpdir.joinpath('download')
os.mkdir(download_dir)
file_path, content_type = _download_http_url(
link,
downloader,
download_dir,
hashes=None,
)
# The file should be downloaded to download_dir.
actual = os.listdir(download_dir)
assert actual == ['out_dir_file']
def test_raise_for_status_does_not_raises_exception() -> None:
contents = b"downloaded"
resp = MockResponse(contents)
resp.status_code = 201
resp.url = "http://www.example.com/whatever.tgz"
resp.reason = "No error"
raise_for_status(resp)
def test_raise_for_status_does_not_raises_exception():
contents = b'downloaded'
resp = MockResponse(contents)
resp.status_code = 201
resp.url = "http://www.example.com/whatever.tgz"
resp.reason = "No error"
return_value = raise_for_status(resp)
assert return_value is None
def test_raise_for_status_raises_exception(status_code, error_type):
contents = b'downloaded'
resp = MockResponse(contents)
resp.status_code = status_code
resp.url = "http://www.example.com/whatever.tgz"
resp.reason = "Network Error"
with pytest.raises(NetworkConnectionError) as exc:
raise_for_status(resp)
assert str(exc.info) == (
"{} {}: Network Error for url:"
" http://www.example.com/whatever.tgz".format(
status_code, error_type)
)
def test_keyring_set_password(
monkeypatch: pytest.MonkeyPatch,
response_status: int,
creds: Tuple[str, str, bool],
expect_save: bool,
) -> None:
keyring = KeyringModuleV1()
monkeypatch.setattr("pip._internal.network.auth.keyring", keyring)
auth = MultiDomainBasicAuth(prompting=True)
monkeypatch.setattr(auth, "_get_url_and_credentials", lambda u:
(u, None, None))
monkeypatch.setattr(auth, "_prompt_for_password", lambda *a: creds)
if creds[2]:
# when _prompt_for_password indicates to save, we should save
def should_save_password_to_keyring(*a: Any) -> bool:
return True
else:
# when _prompt_for_password indicates not to save, we should
# never call this function
def should_save_password_to_keyring(*a: Any) -> bool:
assert False, "_should_save_password_to_keyring should not be called"
monkeypatch.setattr(auth, "_should_save_password_to_keyring",
should_save_password_to_keyring)
req = MockRequest("https://example.com")
resp = MockResponse(b"")
resp.url = req.url
connection = MockConnection()
def _send(sent_req: MockRequest, **kwargs: Any) -> MockResponse:
assert sent_req is req
assert "Authorization" in sent_req.headers
r = MockResponse(b"")
r.status_code = response_status
return r
# https://github.com/python/mypy/issues/2427
connection._send = _send # type: ignore[assignment]
resp.request = req
resp.status_code = 401
resp.connection = connection
auth.handle_401(resp)
if expect_save:
assert keyring.saved_passwords == [("example.com", creds[0], creds[1])]
else:
assert keyring.saved_passwords == []
def test_prepare_download__log(caplog, url, headers, from_cache, expected):
caplog.set_level(logging.INFO)
resp = MockResponse(b'')
resp.url = url
resp.headers = headers
if from_cache:
resp.from_cache = from_cache
link = Link(url)
_prepare_download(resp, link, progress_bar="on")
assert len(caplog.records) == 1
record = caplog.records[0]
assert record.levelname == 'INFO'
assert expected in record.message
def test_keyring_set_password(monkeypatch, response_status, creds,
expect_save):
keyring = KeyringModuleV1()
monkeypatch.setattr('pip._internal.network.auth.keyring', keyring)
auth = MultiDomainBasicAuth(prompting=True)
monkeypatch.setattr(auth, '_get_url_and_credentials', lambda u:
(u, None, None))
monkeypatch.setattr(auth, '_prompt_for_password', lambda *a: creds)
if creds[2]:
# when _prompt_for_password indicates to save, we should save
def should_save_password_to_keyring(*a):
return True
else:
# when _prompt_for_password indicates not to save, we should
# never call this function
def should_save_password_to_keyring(*a):
assert False, ("_should_save_password_to_keyring should not be " +
"called")
monkeypatch.setattr(auth, '_should_save_password_to_keyring',
should_save_password_to_keyring)
req = MockRequest("https://example.com")
resp = MockResponse(b"")
resp.url = req.url
connection = MockConnection()
def _send(sent_req, **kwargs):
assert sent_req is req
assert "Authorization" in sent_req.headers
r = MockResponse(b"")
r.status_code = response_status
return r
connection._send = _send
resp.request = req
resp.status_code = 401
resp.connection = connection
auth.handle_401(resp)
if expect_save:
assert keyring.saved_passwords == [("example.com", creds[0], creds[1])]
else:
assert keyring.saved_passwords == []
def test_prepare_download__log(
caplog: pytest.LogCaptureFixture,
url: str,
headers: Dict[str, str],
from_cache: bool,
expected: str,
) -> None:
caplog.set_level(logging.INFO)
resp = MockResponse(b"")
resp.url = url
resp.headers = headers
if from_cache:
resp.from_cache = from_cache
link = Link(url)
_prepare_download(resp, link, progress_bar="on")
assert len(caplog.records) == 1
record = caplog.records[0]
assert record.levelname == "INFO"
assert expected in record.message