def test_download_http_url__no_directory_traversal(tmpdir):
"""
Test that directory traversal doesn't happen on download when the
Content-Disposition header contains a filename with a ".." path part.
"""
mock_url = 'http://www.example.com/whatever.tgz'
contents = b'downloaded'
link = Link(mock_url)
session = Mock()
resp = MockResponse(contents)
resp.url = mock_url
resp.headers = {
# Set the content-type to a random value to prevent
# mimetypes.guess_extension from guessing the extension.
'content-type': 'random',
'content-disposition': 'attachment;filename="../out_dir_file"'
}
session.get.return_value = resp
downloader = Downloader(session, progress_bar="on")
download_dir = tmpdir.joinpath('download')
os.mkdir(download_dir)
file_path, content_type = _download_http_url(
link,
downloader,
download_dir,
hashes=None,
)
# The file should be downloaded to download_dir.
actual = os.listdir(download_dir)
assert actual == ['out_dir_file']
def test_download_http_url__no_directory_traversal(mock_raise_for_status: Mock,
tmpdir: Path) -> None:
"""
Test that directory traversal doesn't happen on download when the
Content-Disposition header contains a filename with a ".." path part.
"""
mock_url = "http://www.example.com/whatever.tgz"
contents = b"downloaded"
link = Link(mock_url)
session = Mock()
resp = MockResponse(contents)
resp.url = mock_url
resp.headers = {
# Set the content-type to a random value to prevent
# mimetypes.guess_extension from guessing the extension.
"content-type": "random",
"content-disposition": 'attachment;filename="../out_dir_file"',
}
session.get.return_value = resp
download = Downloader(session, progress_bar="on")
download_dir = os.fspath(tmpdir.joinpath("download"))
os.mkdir(download_dir)
file_path, content_type = download(link, download_dir)
# The file should be downloaded to download_dir.
actual = os.listdir(download_dir)
assert actual == ["out_dir_file"]
mock_raise_for_status.assert_called_once_with(resp)
def test_prepare_download__log(caplog, url, headers, from_cache, expected):
caplog.set_level(logging.INFO)
resp = MockResponse(b'')
resp.url = url
resp.headers = headers
if from_cache:
resp.from_cache = from_cache
link = Link(url)
_prepare_download(resp, link, progress_bar="on")
assert len(caplog.records) == 1
record = caplog.records[0]
assert record.levelname == 'INFO'
assert expected in record.message
def test_prepare_download__log(
caplog: pytest.LogCaptureFixture,
url: str,
headers: Dict[str, str],
from_cache: bool,
expected: str,
) -> None:
caplog.set_level(logging.INFO)
resp = MockResponse(b"")
resp.url = url
resp.headers = headers
if from_cache:
resp.from_cache = from_cache
link = Link(url)
_prepare_download(resp, link, progress_bar="on")
assert len(caplog.records) == 1
record = caplog.records[0]
assert record.levelname == "INFO"
assert expected in record.message