lollms-webui/tests/pentests/test_sanitize/test.py

import re
from pathlib import Path

import pytest
from ascii_colors import ASCIIColors
from fastapi import HTTPException


def sanitize_path_from_endpoint(
    path: str,
    error_text="A suspected LFI attack detected. The path sent to the server has suspicious elements in it!",
    exception_text="Invalid path!",
):
    if path.strip().startswith("/"):
        raise HTTPException(status_code=400, detail=exception_text)
    # Fix the case of "/" at the beginning on the path
    if path is None:
        return path

    # Regular expression to detect patterns like "...." and multiple forward slashes
    suspicious_patterns = re.compile(r"(\.\.+)|(/+/)")

    if suspicious_patterns.search(path) or Path(path).is_absolute():
        ASCIIColors.error(error_text)
        raise HTTPException(status_code=400, detail=exception_text)

    path = path.lstrip("/")
    return path


def test_sanitize_path_from_endpoint():
    # Test a valid path
    valid_path = "example/path"
    assert sanitize_path_from_endpoint(valid_path) == "example/path"

    # Test a path with suspicious elements
    suspicious_path = "/D:/POC/secret.txt"

    # suspicious_path = "/images//D:/POC/secret.txt"
    with pytest.raises(HTTPException):
        sanitize_path_from_endpoint(suspicious_path)

    # Add more test cases as needed


if __name__ == "__main__":
    test_sanitize_path_from_endpoint()
secured 2024-03-31 21:18:26 +02:00			`import re`
upgraded linting 2024-12-19 13:48:57 +01:00			`from pathlib import Path`

secured 2024-03-31 21:18:26 +02:00			`import pytest`
upgraded linting 2024-12-19 13:48:57 +01:00			`from ascii_colors import ASCIIColors`
			`from fastapi import HTTPException`


			`def sanitize_path_from_endpoint(`
			`path: str,`
			`error_text="A suspected LFI attack detected. The path sent to the server has suspicious elements in it!",`
			`exception_text="Invalid path!",`
			`):`
Enhanced 2024-04-04 18:20:24 +02:00			`if path.strip().startswith("/"):`
			`raise HTTPException(status_code=400, detail=exception_text)`
secured 2024-03-31 21:18:26 +02:00			`# Fix the case of "/" at the beginning on the path`
			`if path is None:`
			`return path`
upgraded linting 2024-12-19 13:48:57 +01:00
secured 2024-03-31 21:18:26 +02:00			`# Regular expression to detect patterns like "...." and multiple forward slashes`
upgraded linting 2024-12-19 13:48:57 +01:00			`suspicious_patterns = re.compile(r"(\.\.+)\|(/+/)")`

secured 2024-03-31 21:18:26 +02:00			`if suspicious_patterns.search(path) or Path(path).is_absolute():`
			`ASCIIColors.error(error_text)`
			`raise HTTPException(status_code=400, detail=exception_text)`
upgraded linting 2024-12-19 13:48:57 +01:00
			`path = path.lstrip("/")`
secured 2024-03-31 21:18:26 +02:00			`return path`


			`def test_sanitize_path_from_endpoint():`
			`# Test a valid path`
			`valid_path = "example/path"`
			`assert sanitize_path_from_endpoint(valid_path) == "example/path"`
upgraded linting 2024-12-19 13:48:57 +01:00
secured 2024-03-31 21:18:26 +02:00			`# Test a path with suspicious elements`
Enhanced 2024-04-04 18:20:24 +02:00			`suspicious_path = "/D:/POC/secret.txt"`
upgraded linting 2024-12-19 13:48:57 +01:00
			`# suspicious_path = "/images//D:/POC/secret.txt"`
secured 2024-03-31 21:18:26 +02:00			`with pytest.raises(HTTPException):`
			`sanitize_path_from_endpoint(suspicious_path)`
upgraded linting 2024-12-19 13:48:57 +01:00
secured 2024-03-31 21:18:26 +02:00			`# Add more test cases as needed`

upgraded linting 2024-12-19 13:48:57 +01:00
secured 2024-03-31 21:18:26 +02:00			`if __name__ == "__main__":`
			`test_sanitize_path_from_endpoint()`