def post(self, tip_id):
yield self.can_perform_action(self.request.tid, tip_id,
self.uploaded_file['name'])
rtip = yield get_rtip(self.request.tid, self.current_user.user_id,
tip_id, self.request.language)
# First: dump the file in the filesystem
filename = str.split(os.path.basename(self.uploaded_file['filename']),
'.aes')[0] + '.plain'
dst = os.path.join(Settings.attachments_path, filename)
directory_traversal_check(Settings.attachments_path, dst)
yield threads.deferToThread(self.write_upload_plaintext_to_disk, dst)
self.uploaded_file['filename'] = filename
self.uploaded_file['creation_date'] = datetime_now()
self.uploaded_file['submission'] = False
yield register_wbfile_on_db(self.request.tid, rtip['id'],
self.uploaded_file)
log.debug("Recorded new WhistleblowerFile %s",
self.uploaded_file['name'])
def get(self, rfile_id):
rfile = yield self.download_rfile(self.request.tid, self.current_user.user_id, rfile_id)
filelocation = os.path.join(Settings.attachments_path, rfile['path'])
directory_traversal_check(Settings.attachments_path, filelocation)
yield self.force_file_download(rfile['name'], filelocation)
def delete(self, id):
path = os.path.join(self.state.settings.files_path, id)
directory_traversal_check(self.state.settings.files_path, path)
if os.path.exists(path):
os.remove(path)
return models.delete(models.File, models.File.tid == self.request.tid,
models.File.id == id)
def get(self, wbfile_id):
wbfile = yield self.download_wbfile(self.request.tid, wbfile_id)
filelocation = os.path.join(Settings.attachments_path,
wbfile['filename'])
directory_traversal_check(Settings.attachments_path, filelocation)
yield self.write_file_as_download(wbfile['name'], filelocation)
def delete(self, id):
yield self.permission_check()
path = os.path.join(self.state.settings.files_path, id)
directory_traversal_check(self.state.settings.files_path, path)
if os.path.exists(path):
os.remove(path)
result = yield models.delete(models.File,
models.File.tid == self.request.tid,
models.File.id == id)
returnValue(result)
def get(self, filename):
if not filename:
filename = 'index.html'
abspath = os.path.abspath(os.path.join(self.root, filename))
directory_traversal_check(self.root, abspath)
if os.path.exists(abspath + '.gz') and os.path.isfile(abspath + '.gz'):
return self.write_file(filename + '.gz', abspath + '.gz')
if os.path.exists(abspath) and os.path.isfile(abspath):
return self.write_file(filename, abspath)
else:
raise errors.ResourceNotFound()
def get_l10n(session, tid, lang):
path = langfile_path(lang)
directory_traversal_check(Settings.client_path, path)
if not os.path.exists(path):
raise errors.ResourceNotFound()
texts = read_json_file(path)
custom_texts = session.query(models.CustomTexts).filter(
models.CustomTexts.lang == lang,
models.CustomTexts.tid == tid).one_or_none()
custom_texts = custom_texts.texts if custom_texts is not None else {}
texts.update(custom_texts)
return texts
def get_l10n(session, tid, lang):
if tid != 1:
node = ConfigFactory(session, 1, 'public_node')
if node.get_val(u'mode') == u'whistleblowing.it':
tid = 1
path = langfile_path(lang)
directory_traversal_check(Settings.client_path, path)
if not os.path.exists(path):
raise errors.ResourceNotFound()
texts = read_json_file(path)
custom_texts = session.query(models.CustomTexts).filter(
models.CustomTexts.lang == lang,
models.CustomTexts.tid == tid).one_or_none()
custom_texts = custom_texts.texts if custom_texts is not None else {}
texts.update(custom_texts)
return texts
def test_directory_traversal_check_allowed(self):
valid_access = os.path.join(Settings.files_path, "valid.txt")
directory_traversal_check(Settings.files_path, valid_access)
