From aee0940b511486b35ef2c2d0607f4cd2c0b50f23 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Fri, 22 Feb 2019 21:17:48 +0100 Subject: Mitigate filename-based race conditions --- tests.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'tests.py') diff --git a/tests.py b/tests.py index 8ce7d7e..0289755 100644 --- a/tests.py +++ b/tests.py @@ -25,13 +25,18 @@ class FlaskrTestCase(unittest.TestCase): self.assertIn(b'audio/x-flac', rv.data) def test_get_download_dangerous_file(self): - rv = self.app.get('/download/\..\filename') + rv = self.app.get('/download/1337/\..\filename') self.assertEqual(rv.status_code, 302) - def test_get_download_nonexistant_file(self): + def test_get_download_without_key_file(self): rv = self.app.get('/download/non_existant') + self.assertEqual(rv.status_code, 404) + + def test_get_download_nonexistant_file(self): + rv = self.app.get('/download/1337/non_existant') self.assertEqual(rv.status_code, 302) + def test_get_upload_without_file(self): rv = self.app.post('/') self.assertEqual(rv.status_code, 302) @@ -66,13 +71,13 @@ class FlaskrTestCase(unittest.TestCase): data=dict( file=(io.BytesIO(b"Some text"), 'test.txt'), ), follow_redirects=True) - self.assertIn(b'/download/test.cleaned.txt', rv.data) + self.assertIn(b'/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt', rv.data) self.assertEqual(rv.status_code, 200) - rv = self.app.get('/download/test.cleaned.txt') + rv = self.app.get('/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt') self.assertEqual(rv.status_code, 200) - rv = self.app.get('/download/test.cleaned.txt') + rv = self.app.get('/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt') self.assertEqual(rv.status_code, 302) -- cgit v1.3