mirror of
https://github.com/GNS3/gns3-server.git
synced 2024-12-24 06:56:42 +00:00
Fixes path normalization during file upload on nodes (Fixes: #2276)
This commit is contained in:
parent
897f7656da
commit
be35ad6874
@ -367,6 +367,7 @@ class NodeHandler:
|
||||
path = request.match_info["path"]
|
||||
path = force_unix_path(path)
|
||||
|
||||
|
||||
# Raise error if user try to escape
|
||||
if path[0] == ".":
|
||||
raise aiohttp.web.HTTPForbidden
|
||||
@ -401,7 +402,7 @@ class NodeHandler:
|
||||
project = yield from Controller.instance().get_loaded_project(request.match_info["project_id"])
|
||||
node = project.get_node(request.match_info["node_id"])
|
||||
path = request.match_info["path"]
|
||||
path = os.path.normpath(path)
|
||||
path = force_unix_path(path)
|
||||
|
||||
# Raise error if user try to escape
|
||||
if path[0] == ".":
|
||||
|
@ -258,3 +258,20 @@ def test_post_file(http_controller, tmpdir, project, node, compute):
|
||||
|
||||
response = http_controller.get("/projects/{project_id}/nodes/{node_id}/files/../hello".format(project_id=project.id, node_id=node.id), raw=True)
|
||||
assert response.status == 404
|
||||
|
||||
|
||||
def test_get_and_post_with_nested_paths_normalization(http_controller, tmpdir, project, node, compute):
|
||||
response = MagicMock()
|
||||
response.body = b"world"
|
||||
compute.http_query = AsyncioMagicMock(return_value=response)
|
||||
response = http_controller.get("/projects/{project_id}/nodes/{node_id}/files/hello\\nested".format(project_id=project.id, node_id=node.id), raw=True)
|
||||
assert response.status == 200
|
||||
assert response.body == b'world'
|
||||
|
||||
compute.http_query.assert_called_with("GET", "/projects/{project_id}/files/project-files/vpcs/{node_id}/hello/nested".format(project_id=project.id, node_id=node.id), timeout=None, raw=True)
|
||||
|
||||
compute.http_query = AsyncioMagicMock()
|
||||
response = http_controller.post("/projects/{project_id}/nodes/{node_id}/files/hello\\nested".format(project_id=project.id, node_id=node.id), body=b"hello", raw=True)
|
||||
assert response.status == 201
|
||||
|
||||
compute.http_query.assert_called_with("POST", "/projects/{project_id}/files/project-files/vpcs/{node_id}/hello/nested".format(project_id=project.id, node_id=node.id), data=b'hello', timeout=None, raw=True)
|
||||
|
Loading…
Reference in New Issue
Block a user