From 853ace7d83424f85d903f6ffe2352bf41f86b7ce Mon Sep 17 00:00:00 2001
From: jfriedli
Date: Fri, 8 May 2020 09:10:18 -0700
Subject: Resolve "Fuzzing Errors /api/upload"

---
 test/test.py     | 12 ++++++++++++
 test/test_api.py | 21 ++++++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

(limited to 'test')

diff --git a/test/test.py b/test/test.py
index 2d09662..7431881 100644
--- a/test/test.py
+++ b/test/test.py
@@ -179,6 +179,18 @@ class Mat2WebTestCase(TestCase):
         self.assertIn(b'.mp2', rv.data)
         self.assertEqual(rv.status_code, 200)
 
+    def test_get_upload_naughty_input(self):
+        rv = self.client.post(
+            '/',
+            data=dict(
+                file=(io.BytesIO(b"a"), '﷽'),
+            ),
+            follow_redirects=True
+        )
+        self.assertEqual(rv.status_code, 200)
+        self.assertIn(b'Invalid Filename', rv.data)
+
+
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/test/test_api.py b/test/test_api.py
index 4925d9e..af736af 100644
--- a/test/test_api.py
+++ b/test/test_api.py
@@ -70,7 +70,7 @@ class Mat2APITestCase(unittest.TestCase):
 
         self.assertEqual(request.status_code, 400)
         error = request.get_json()['message']
-        self.assertEqual(error, 'Failed decoding file: Incorrect padding')
+        self.assertEqual(error, 'Failed decoding file')
 
     def test_api_not_supported(self):
         request = self.app.post('/api/upload',
@@ -400,6 +400,25 @@ class Mat2APITestCase(unittest.TestCase):
         request = app.get(download_link)
         self.assertEqual(code, request.status_code)
 
+    def test_upload_naughty_input(self):
+        request = self.app.post('/api/upload',
+                           data='{"file_name": "\\\\", '
+                                '"file": "\\\\"}',
+                           headers={'content-type': 'application/json'}
+                           )
+        error_message = request.get_json()['message']
+        self.assertEqual(400, request.status_code)
+        self.assertEqual("Invalid Filename", error_message)
+
+        request = self.app.post('/api/upload',
+                                data='{"file_name": "﷽", '
+                                     '"file": "﷽"}',
+                                headers={'content-type': 'application/json'}
+                                )
+        error_message = request.get_json()['message']
+        self.assertEqual(400, request.status_code)
+        self.assertEqual("Failed decoding file", error_message)
+
 
 if __name__ == '__main__':
     unittest.main()
-- 
cgit v1.3