summaryrefslogtreecommitdiff
path: root/tests.py
diff options
context:
space:
mode:
authorjvoisin2019-02-22 21:17:48 +0100
committerjvoisin2019-02-22 21:17:48 +0100
commitaee0940b511486b35ef2c2d0607f4cd2c0b50f23 (patch)
tree9e20cac51df16c617b4cd089ce95495b546d29ef /tests.py
parent12be535945cbfbf0aa8ca149348b0eb683a23d5b (diff)
Mitigate filename-based race conditions
Diffstat (limited to 'tests.py')
-rw-r--r--tests.py15
1 files changed, 10 insertions, 5 deletions
diff --git a/tests.py b/tests.py
index 8ce7d7e..0289755 100644
--- a/tests.py
+++ b/tests.py
@@ -25,13 +25,18 @@ class FlaskrTestCase(unittest.TestCase):
25 self.assertIn(b'audio/x-flac', rv.data) 25 self.assertIn(b'audio/x-flac', rv.data)
26 26
27 def test_get_download_dangerous_file(self): 27 def test_get_download_dangerous_file(self):
28 rv = self.app.get('/download/\..\filename') 28 rv = self.app.get('/download/1337/\..\filename')
29 self.assertEqual(rv.status_code, 302) 29 self.assertEqual(rv.status_code, 302)
30 30
31 def test_get_download_nonexistant_file(self): 31 def test_get_download_without_key_file(self):
32 rv = self.app.get('/download/non_existant') 32 rv = self.app.get('/download/non_existant')
33 self.assertEqual(rv.status_code, 404)
34
35 def test_get_download_nonexistant_file(self):
36 rv = self.app.get('/download/1337/non_existant')
33 self.assertEqual(rv.status_code, 302) 37 self.assertEqual(rv.status_code, 302)
34 38
39
35 def test_get_upload_without_file(self): 40 def test_get_upload_without_file(self):
36 rv = self.app.post('/') 41 rv = self.app.post('/')
37 self.assertEqual(rv.status_code, 302) 42 self.assertEqual(rv.status_code, 302)
@@ -66,13 +71,13 @@ class FlaskrTestCase(unittest.TestCase):
66 data=dict( 71 data=dict(
67 file=(io.BytesIO(b"Some text"), 'test.txt'), 72 file=(io.BytesIO(b"Some text"), 'test.txt'),
68 ), follow_redirects=True) 73 ), follow_redirects=True)
69 self.assertIn(b'/download/test.cleaned.txt', rv.data) 74 self.assertIn(b'/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt', rv.data)
70 self.assertEqual(rv.status_code, 200) 75 self.assertEqual(rv.status_code, 200)
71 76
72 rv = self.app.get('/download/test.cleaned.txt') 77 rv = self.app.get('/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt')
73 self.assertEqual(rv.status_code, 200) 78 self.assertEqual(rv.status_code, 200)
74 79
75 rv = self.app.get('/download/test.cleaned.txt') 80 rv = self.app.get('/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt')
76 self.assertEqual(rv.status_code, 302) 81 self.assertEqual(rv.status_code, 302)
77 82
78 83