ExternalVendorCode/gns3-server
1
0
Fork 0
mirror of https://github.com/GNS3/gns3-server.git synced 2025-06-23 01:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Change method to prevent forbidden directory traversal. Ref #1894

Browse Source
This commit is contained in:
grossmj
2021-05-16 14:29:56 +09:30
parent f3d81fa450
commit 2bf16f1e5f
8 changed files with 104 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
tests/api/routes/compute/test_iou_nodes.py
View File

@ -415,7 +415,23 @@ async def test_upload_image(app: FastAPI, client: AsyncClient, tmpdir) -> None:
assert checksum == "033bd94b1168d7e4f0d644c3c95e35bf"
async def test_download_image_escape(app: FastAPI, client: AsyncClient, tmpdir) -> None:
async def test_upload_image_forbidden_location(app: FastAPI, client: AsyncClient) -> None:
file_path = "%2e%2e/hello"
response = await client.post(app.url_path_for("upload_dynamips_image", filename=file_path), content=b"TEST")
assert response.status_code == status.HTTP_403_FORBIDDEN
async def test_download_image(app: FastAPI, client: AsyncClient, images_dir: str) -> None:
response = await client.post(app.url_path_for("upload_dynamips_image", filename="test3"), content=b"TEST")
assert response.status_code == status.HTTP_204_NO_CONTENT
response = await client.get(app.url_path_for("download_dynamips_image", filename="test3"))
assert response.status_code == status.HTTP_200_OK
async def test_download_image_forbidden(app: FastAPI, client: AsyncClient, tmpdir) -> None:
file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
response = await client.get(app.url_path_for("download_iou_image", filename=file_path))