def post(self, tip_id): yield self.can_perform_action(self.request.tid, tip_id, self.uploaded_file['name']) rtip = yield get_rtip(self.request.tid, self.current_user.user_id, tip_id, self.request.language) # First: dump the file in the filesystem filename = str.split(os.path.basename(self.uploaded_file['filename']), '.aes')[0] + '.plain' dst = os.path.join(Settings.attachments_path, filename) directory_traversal_check(Settings.attachments_path, dst) yield threads.deferToThread(self.write_upload_plaintext_to_disk, dst) self.uploaded_file['filename'] = filename self.uploaded_file['creation_date'] = datetime_now() self.uploaded_file['submission'] = False yield register_wbfile_on_db(self.request.tid, rtip['id'], self.uploaded_file) log.debug("Recorded new WhistleblowerFile %s", self.uploaded_file['name'])
def get(self, rfile_id): rfile = yield self.download_rfile(self.request.tid, self.current_user.user_id, rfile_id) filelocation = os.path.join(Settings.attachments_path, rfile['path']) directory_traversal_check(Settings.attachments_path, filelocation) yield self.force_file_download(rfile['name'], filelocation)
def delete(self, id): path = os.path.join(self.state.settings.files_path, id) directory_traversal_check(self.state.settings.files_path, path) if os.path.exists(path): os.remove(path) return models.delete(models.File, models.File.tid == self.request.tid, models.File.id == id)
def get(self, wbfile_id): wbfile = yield self.download_wbfile(self.request.tid, wbfile_id) filelocation = os.path.join(Settings.attachments_path, wbfile['filename']) directory_traversal_check(Settings.attachments_path, filelocation) yield self.write_file_as_download(wbfile['name'], filelocation)
def delete(self, id): yield self.permission_check() path = os.path.join(self.state.settings.files_path, id) directory_traversal_check(self.state.settings.files_path, path) if os.path.exists(path): os.remove(path) result = yield models.delete(models.File, models.File.tid == self.request.tid, models.File.id == id) returnValue(result)
def get(self, filename): if not filename: filename = 'index.html' abspath = os.path.abspath(os.path.join(self.root, filename)) directory_traversal_check(self.root, abspath) if os.path.exists(abspath + '.gz') and os.path.isfile(abspath + '.gz'): return self.write_file(filename + '.gz', abspath + '.gz') if os.path.exists(abspath) and os.path.isfile(abspath): return self.write_file(filename, abspath) else: raise errors.ResourceNotFound()
def get_l10n(session, tid, lang): path = langfile_path(lang) directory_traversal_check(Settings.client_path, path) if not os.path.exists(path): raise errors.ResourceNotFound() texts = read_json_file(path) custom_texts = session.query(models.CustomTexts).filter( models.CustomTexts.lang == lang, models.CustomTexts.tid == tid).one_or_none() custom_texts = custom_texts.texts if custom_texts is not None else {} texts.update(custom_texts) return texts
def get_l10n(session, tid, lang): if tid != 1: node = ConfigFactory(session, 1, 'public_node') if node.get_val(u'mode') == u'whistleblowing.it': tid = 1 path = langfile_path(lang) directory_traversal_check(Settings.client_path, path) if not os.path.exists(path): raise errors.ResourceNotFound() texts = read_json_file(path) custom_texts = session.query(models.CustomTexts).filter( models.CustomTexts.lang == lang, models.CustomTexts.tid == tid).one_or_none() custom_texts = custom_texts.texts if custom_texts is not None else {} texts.update(custom_texts) return texts
def test_directory_traversal_check_allowed(self): valid_access = os.path.join(Settings.files_path, "valid.txt") directory_traversal_check(Settings.files_path, valid_access)