def test_escape_root(tmp_path): td = str(tmp_path) cm = FileContentsManager(root_dir=td) # make foo, bar next to root with open(os.path.join(cm.root_dir, '..', 'foo'), 'w') as f: f.write('foo') with open(os.path.join(cm.root_dir, '..', 'bar'), 'w') as f: f.write('bar') with pytest.raises(HTTPError) as e: cm.get('..') expected_http_error(e, 404) with pytest.raises(HTTPError) as e: cm.get('foo/../../../bar') expected_http_error(e, 404) with pytest.raises(HTTPError) as e: cm.delete('../foo') expected_http_error(e, 404) with pytest.raises(HTTPError) as e: cm.rename('../foo', '../bar') expected_http_error(e, 404) with pytest.raises(HTTPError) as e: cm.save(model={ 'type': 'file', 'content': u'', 'format': 'text', }, path='../foo') expected_http_error(e, 404)
def test_escape_root(tmp_path): td = str(tmp_path) cm = FileContentsManager(root_dir=td) # make foo, bar next to root with open(os.path.join(cm.root_dir, "..", "foo"), "w") as f: f.write("foo") with open(os.path.join(cm.root_dir, "..", "bar"), "w") as f: f.write("bar") with pytest.raises(HTTPError) as e: cm.get("..") expected_http_error(e, 404) with pytest.raises(HTTPError) as e: cm.get("foo/../../../bar") expected_http_error(e, 404) with pytest.raises(HTTPError) as e: cm.delete("../foo") expected_http_error(e, 404) with pytest.raises(HTTPError) as e: cm.rename("../foo", "../bar") expected_http_error(e, 404) with pytest.raises(HTTPError) as e: cm.save(model={ "type": "file", "content": u"", "format": "text", }, path="../foo") expected_http_error(e, 404)