def test_download_http_url__no_directory_traversal(tmpdir):
"""
Test that directory traversal doesn't happen on download when the
Content-Disposition header contains a filename with a ".." path part.
"""
mock_url = 'http://www.example.com/whatever.tgz'
contents = b'downloaded'
link = Link(mock_url)
session = Mock()
resp = MockResponse(contents)
resp.url = mock_url
resp.headers = {
# Set the content-type to a random value to prevent
# mimetypes.guess_extension from guessing the extension.
'content-type': 'random',
'content-disposition': 'attachment;filename="../out_dir_file"'
}
session.get.return_value = resp
downloader = Downloader(session, progress_bar="on")
download_dir = tmpdir.joinpath('download')
os.mkdir(download_dir)
file_path, content_type = _download_http_url(
link,
downloader,
download_dir,
hashes=None,
)
# The file should be downloaded to download_dir.
actual = os.listdir(download_dir)
assert actual == ['out_dir_file']
def run(self, options, args):
self.port = options.port
bossacdir = str(
Path(user_config_dir + "/ardupycore/Seeeduino/tools/bossac"))
if not os.path.exists(bossacdir):
os.makedirs(bossacdir)
session = self.get_default_session(options)
if sys.platform == "linux":
link = Link(
"http://files.seeedstudio.com/arduino/tools/i686-linux-gnu/bossac-1.9.1-seeeduino-linux.tar.gz"
)
if sys.platform == "win32":
link = Link(
"http://files.seeedstudio.com/arduino/tools/i686-mingw32/bossac-1.9.1-seeeduino-windows.tar.bz2"
)
if sys.platform == "darwin":
link = Link(
"http://files.seeedstudio.com/arduino/tools/x86_64-apple-darwin/bossac-1.8-48-gb176eee-i386-apple-darwin16.1.0.tar.gz"
)
bossac = ""
if platform.system() == "Windows":
bossac = str(Path(bossacdir, "bossac.exe"))
else:
bossac = str(Path(bossacdir, "bossac"))
if not os.path.exists(bossac):
downloader = Downloader(session, progress_bar="on")
unpack_url(
link,
bossacdir,
downloader=downloader,
download_dir=None,
)
try_count = 0
do_bossac = True
while True:
stty = self.stty
print(stty)
if stty != "echo not support":
os.system(stty % 1200)
#os.system(str(bossac)+ " --help")
port, desc, hwid, isbootloader = self.serial.getBootloaderBoard()
print(port)
time.sleep(1)
if isbootloader == True:
break
try_count = try_count + 1
if try_count == 5:
do_bossac = False
break
if do_bossac == True:
name, version, url = self.serial.getBoardByPort(port)
ardupybin = ""
if len(args) > 0:
ardupybin = args[0]
if not os.path.exists(ardupybin):
log.warning('The path of firmware didn\'t exists!')
return ERROR
elif options.origin == True:
firmwaredir = str(
Path(user_config_dir + "/deploy/firmware/" +
name.replace(' ', '_')))
if not os.path.exists(firmwaredir):
os.makedirs(firmwaredir)
ardupybin = str(Path(firmwaredir, "ardupy_laster.bin"))
if not os.path.exists(ardupybin):
downloader = Downloader(session, progress_bar="on")
_download_http_url(link=Link(url),
downloader=downloader,
temp_dir=firmwaredir,
hashes=None)
else:
ardupybin = str(Path(user_config_dir + "/deploy/Ardupy.bin"))
_flash_parm = flash_param[name.replace(' ', '_')]
print((str(bossac) + _flash_parm) % (port, ardupybin))
os.system((str(bossac) + _flash_parm) % (port, ardupybin))
else:
log.warning("Sorry, the device you should have is not plugged in.")
return ERROR
return SUCCESS