1 files changed, 18 insertions, 0 deletions
diff --git a/test/test_api.py b/test/test_api.py
index 878b0ab..427a1f1 100644
--- a/test/test_api.py
+++ b/test/test_api.py
@@ -413,6 +413,24 @@ class Mat2APITestCase(unittest.TestCase):
        request = app.get(download_link)
        self.assertEqual(code, request.status_code)
+    def test_download_naughty_input(self):
+        request = self.app.get(
+            '/api/download/%F2%8C%BF%BD%F1%AE%98%A3%E4%B7%B8%F2%9B%94%BE%F2%A7%8B%83%F1%B1%80%9F%F3%AA%89%A6/1p/str'
+        )
+        error_message = request.get_json()['message']
+        self.assertEqual(404, request.status_code)
+        self.assertEqual("File not found", error_message)
+    def test_download_bulk_naughty_input(self):
+        request = self.app.post(
+            '/api/download/bulk',
+            data='\"\'\'\'&type %SYSTEMROOT%\\\\win.ini\"',
+            headers={'content-type': 'application/json'}
+        )
+        error_message = request.get_json()['message']
+        self.assertEqual(400, request.status_code)
+        self.assertEqual("Invalid Post Body", error_message)
    def test_upload_naughty_input(self):
        request = self.app.post('/api/upload',
                           data='{"file_name": "\\\\", '

diff --git a/test/test_api.py b/test/test_api.py index 878b0ab..427a1f1 100644 --- a/test/test_api.py +++ b/test/test_api.py
@@ -413,6 +413,24 @@ class Mat2APITestCase(unittest.TestCase):
413	request = app.get(download_link)	413	request = app.get(download_link)
414	self.assertEqual(code, request.status_code)	414	self.assertEqual(code, request.status_code)
415		415
		416	def test_download_naughty_input(self):
		417	request = self.app.get(
		418	'/api/download/%F2%8C%BF%BD%F1%AE%98%A3%E4%B7%B8%F2%9B%94%BE%F2%A7%8B%83%F1%B1%80%9F%F3%AA%89%A6/1p/str'
		419	)
		420	error_message = request.get_json()['message']
		421	self.assertEqual(404, request.status_code)
		422	self.assertEqual("File not found", error_message)
		423
		424	def test_download_bulk_naughty_input(self):
		425	request = self.app.post(
		426	'/api/download/bulk',
		427	data='\"\'\'\'&type %SYSTEMROOT%\\\\win.ini\"',
		428	headers={'content-type': 'application/json'}
		429	)
		430	error_message = request.get_json()['message']
		431	self.assertEqual(400, request.status_code)
		432	self.assertEqual("Invalid Post Body", error_message)
		433
416	def test_upload_naughty_input(self):	434	def test_upload_naughty_input(self):
417	request = self.app.post('/api/upload',	435	request = self.app.post('/api/upload',
418	data='{"file_name": "\\\\", '	436	data='{"file_name": "\\\\", '