summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--matweb/rest_api.py12
-rw-r--r--test/test_api.py18
2 files changed, 26 insertions, 4 deletions
diff --git a/matweb/rest_api.py b/matweb/rest_api.py
index 48dcc10..5784bec 100644
--- a/matweb/rest_api.py
+++ b/matweb/rest_api.py
@@ -7,7 +7,7 @@ from uuid import uuid4
7 7
8from flask import after_this_request, send_from_directory, Blueprint, current_app 8from flask import after_this_request, send_from_directory, Blueprint, current_app
9from flask_restful import Resource, reqparse, abort, request, url_for, Api 9from flask_restful import Resource, reqparse, abort, request, url_for, Api
10from cerberus import Validator 10from cerberus import Validator, DocumentError
11from werkzeug.datastructures import FileStorage 11from werkzeug.datastructures import FileStorage
12from flasgger import swag_from 12from flasgger import swag_from
13 13
@@ -157,9 +157,13 @@ class APIBulkDownloadCreator(Resource):
157 if not data: 157 if not data:
158 abort(400, message="Post Body Required") 158 abort(400, message="Post Body Required")
159 current_app.logger.error('BulkDownload - Missing Post Body') 159 current_app.logger.error('BulkDownload - Missing Post Body')
160 if not self.v.validate(data): 160 try:
161 current_app.logger.error('BulkDownload - Missing Post Body: %s', str(self.v.errors)) 161 if not self.v.validate(data):
162 abort(400, message=self.v.errors) 162 current_app.logger.error('BulkDownload - Missing Post Body: %s', str(self.v.errors))
163 abort(400, message=self.v.errors)
164 except DocumentError as e:
165 abort(400, message="Invalid Post Body")
166 current_app.logger.error('BulkDownload - Invalid Post Body: %s', str(e))
163 # prevent the zip file from being overwritten 167 # prevent the zip file from being overwritten
164 zip_filename = 'files.' + str(uuid4()) + '.zip' 168 zip_filename = 'files.' + str(uuid4()) + '.zip'
165 zip_path = os.path.join(current_app.config['UPLOAD_FOLDER'], zip_filename) 169 zip_path = os.path.join(current_app.config['UPLOAD_FOLDER'], zip_filename)
diff --git a/test/test_api.py b/test/test_api.py
index 878b0ab..427a1f1 100644
--- a/test/test_api.py
+++ b/test/test_api.py
@@ -413,6 +413,24 @@ class Mat2APITestCase(unittest.TestCase):
413 request = app.get(download_link) 413 request = app.get(download_link)
414 self.assertEqual(code, request.status_code) 414 self.assertEqual(code, request.status_code)
415 415
416 def test_download_naughty_input(self):
417 request = self.app.get(
418 '/api/download/%F2%8C%BF%BD%F1%AE%98%A3%E4%B7%B8%F2%9B%94%BE%F2%A7%8B%83%F1%B1%80%9F%F3%AA%89%A6/1p/str'
419 )
420 error_message = request.get_json()['message']
421 self.assertEqual(404, request.status_code)
422 self.assertEqual("File not found", error_message)
423
424 def test_download_bulk_naughty_input(self):
425 request = self.app.post(
426 '/api/download/bulk',
427 data='\"\'\'\'&type %SYSTEMROOT%\\\\win.ini\"',
428 headers={'content-type': 'application/json'}
429 )
430 error_message = request.get_json()['message']
431 self.assertEqual(400, request.status_code)
432 self.assertEqual("Invalid Post Body", error_message)
433
416 def test_upload_naughty_input(self): 434 def test_upload_naughty_input(self):
417 request = self.app.post('/api/upload', 435 request = self.app.post('/api/upload',
418 data='{"file_name": "\\\\", ' 436 data='{"file_name": "\\\\", '