mat2-web/test/test.py

import base64
import unittest
import tempfile
import shutil
import io
import os

from unittest.mock import patch
from flask_testing import TestCase

import main


class Mat2WebTestCase(TestCase):
    def create_app(self):
        os.environ.setdefault('MAT2_ALLOW_ORIGIN_WHITELIST', 'origin1.gnu origin2.gnu')
        self.upload_folder = tempfile.mkdtemp()
        app = main.create_app(
            test_config={
                'TESTING': True,
                'UPLOAD_FOLDER': self.upload_folder
            }
        )
        return app

    def tearDown(self):
        shutil.rmtree(self.upload_folder)

    def test_get_root(self):
        rv = self.client.get('/')
        self.assertIn(b'mat2-web', rv.data)

    def test_check_mimetypes(self):
        rv = self.client.get('/')
        self.assertIn(b'.torrent', rv.data)
        self.assertIn(b'.ods', rv.data)

    def test_get_download_dangerous_file(self):
        rv = self.client.get('/download/1337/aabb/\..\filename')
        self.assertEqual(rv.status_code, 302)

    def test_get_download_without_key_file(self):
        rv = self.client.get('/download/non_existant')
        self.assertEqual(rv.status_code, 404)

    def test_get_download_nonexistant_file(self):
        rv = self.client.get('/download/1337/aabb/non_existant')
        self.assertEqual(rv.status_code, 302)

    def test_get_upload_without_file(self):
        rv = self.client.post('/')
        self.assertEqual(rv.status_code, 302)

    def test_get_upload_empty_file(self):
        rv = self.client.post('/',
                data=dict(
                    file=(io.BytesIO(b""), 'test.pdf'),
                    ), follow_redirects=False)
        self.assertEqual(rv.status_code, 302)

    def test_get_upload_bad_file_type(self):
        rv = self.client.post('/',
                data=dict(
                    file=(io.BytesIO(b"1,2,3 \n 4,5,6"), 'test.csv'),
                    ), follow_redirects=False)
        self.assertEqual(rv.status_code, 200)
        self.assertIn(b'The type text/csv could not be cleaned', rv.data)

    def test_get_upload_empty_file_redir(self):
        rv = self.client.post('/',
                data=dict(
                    file=(io.BytesIO(b""), 'test.pdf'),
                    ), follow_redirects=True)
        self.assertIn(b'The filetype is not supported',
                rv.data)
        self.assertEqual(rv.status_code, 200)

    def test_get_upload_no_selected_file(self):
        rv = self.client.post('/',
                           data=dict(
                               file=(io.BytesIO(b""), ''),
                           ), follow_redirects=True)
        self.assertIn(b'No selected file',
                      rv.data)
        self.assertEqual(rv.status_code, 200)

    def test_failed_cleaning(self):
        zip_file_bytes = base64.b64decode(
            'UEsDBBQACAAIAPicPE8AAAAAAAAAAAAAAAAXACAAZmFpbGluZy5ub3Qtd29ya2luZy1le'
            'HRVVA0AB+Saj13kmo9d5JqPXXV4CwABBOkDAAAE6QMAAAMAUEsHCAAAAAACAAAAAAAAAFBL'
            'AwQUAAgACAD6nDxPAAAAAAAAAAAAAAAACQAgAHRlc3QuanNvblVUDQAH6JqPXeiaj13omo9d'
            'dXgLAAEE6QMAAATpAwAAAwBQSwcIAAAAAAIAAAAAAAAAUEsBAhQDFAAIAAgA+Jw8TwAAAAACA'
            'AAAAAAAABcAIAAAAAAAAAAAAKSBAAAAAGZhaWxpbmcubm90LXdvcmtpbmctZXh0VVQNAAfkmo9'
            'd5JqPXeSaj111eAsAAQTpAwAABOkDAABQSwECFAMUAAgACAD6nDxPAAAAAAIAAAAAAAAACQAgA'
            'AAAAAAAAAAApIFnAAAAdGVzdC5qc29uVVQNAAfomo9d6JqPXeiaj111eAsAAQTpAwAABOkDAAB'
            'QSwUGAAAAAAIAAgC8AAAAwAAAAAAA'
        )
        rv = self.client.post('/',
                           data=dict(
                               file=(io.BytesIO(zip_file_bytes), 'test.zip'),
                           ), follow_redirects=True)
        self.assertIn(b'Unable to clean', rv.data)
        self.assertEqual(rv.status_code, 200)

    def test_get_upload_no_file_name(self):
        rv = self.client.post('/',
                data=dict(
                    file=(io.BytesIO(b"aaa")),
                    ), follow_redirects=True)
        self.assertIn(b'No file part', rv.data)
        self.assertEqual(rv.status_code, 200)

    def test_get_upload_harmless_file(self):
        rv = self.client.post(
            '/',
            data=dict(
                file=(io.BytesIO(b"Some text"), 'test.txt'),
            ),
            follow_redirects=True
        )
        download_uri = self.get_context_variable('download_uri')
        self.assertIn('/test.cleaned.txt', download_uri)
        self.assertEqual(rv.status_code, 200)
        self.assertNotIn('Access-Control-Allow-Origin', rv.headers)

        rv = self.client.get(download_uri)
        self.assertEqual(rv.status_code, 200)

        rv = self.client.get(download_uri)
        self.assertEqual(rv.status_code, 302)

    def test_upload_wrong_hash_or_secret(self):
        rv = self.client.post(
            '/',
            data=dict(
                file=(io.BytesIO(b"Some text"), 'test.txt'),
            ),
            follow_redirects=True
        )

        download_uri = self.get_context_variable('download_uri')

        self.assertIn('/test.cleaned.txt', download_uri)
        self.assertIn('/download', download_uri)
        self.assertEqual(rv.status_code, 200)

        uri_parts = download_uri.split("/")
        self.assertEqual(len(uri_parts[2]), len(uri_parts[3]))
        self.assertEqual(64, len(uri_parts[2]))

        key_uri_parts = uri_parts
        key_uri_parts[2] = '70623619c'
        rv = self.client.get("/".join(key_uri_parts))
        self.assertEqual(rv.status_code, 302)

        key_uri_parts = uri_parts
        key_uri_parts[3] = '70623619c'
        rv = self.client.get("/".join(key_uri_parts))
        self.assertEqual(rv.status_code, 302)

    @patch('matweb.file_removal_scheduler.random.randint')
    def test_upload_leftover(self, randint_mock):
        randint_mock.return_value = 0
        os.environ['MAT2_MAX_FILE_AGE_FOR_REMOVAL'] = '0'
        app = main.create_app()
        self.upload_folder = tempfile.mkdtemp()
        app.config.update(
            TESTING=True,
            UPLOAD_FOLDER=self.upload_folder
        )
        app = app.test_client()

        request = self.client.post('/',
                           data=dict(
                               file=(io.BytesIO(b"Some text"), 'test.txt'),
                           ), follow_redirects=True)
        self.assertEqual(request.status_code, 200)

        request = app.get(self.get_context_variable('download_uri'))
        self.assertEqual(302, request.status_code)
        os.environ['MAT2_MAX_FILE_AGE_FOR_REMOVAL'] = str(15*60)

    def test_info_page(self):
        rv = self.client.get('/info')
        self.assertIn(b'What are metadata?', rv.data)
        self.assertIn(b'.jpg', rv.data)
        self.assertIn(b'.mp2', rv.data)
        self.assertEqual(rv.status_code, 200)

    def test_get_upload_no_ascii_no_ext_input(self):
        rv = self.client.post(
            '/',
            data=dict(
                file=(io.BytesIO(b"a"), '﷽.txt'),
            ),
            follow_redirects=True
        )
        self.assertEqual(rv.status_code, 200)
        self.assertIn(b'.cleaned.txt', rv.data)

    def test_get_upload_no_ascii_stem_input(self):
        pdfBytes = b"%PDF-1.\n 1 0 obj<</Pages 2 0 R>>endobj\n2 0 obj<</Kids[3 0 R]/Count 1>>endobj\n3 0 obj<</Parent 2 0 R>>endobj\ntrailer <</Root 1 0 R>>"
        rv = self.client.post(
            '/',
            data=dict(
                file=(io.BytesIO(pdfBytes), '한국어.pdf'),
            ),
            follow_redirects=True
        )
        self.assertEqual(rv.status_code, 200)
        self.assertIn(b'.cleaned.pdf', rv.data)

if __name__ == '__main__':
    unittest.main()
file removal background job 2020-03-27 10:59:16 -07:00			`import base64`
Add some tests 2018-12-16 20:36:02 +01:00			`import unittest`
Add even more tests 2018-12-16 21:33:18 +01:00			`import tempfile`
			`import shutil`
			`import io`
added a docker dev environment Signed-off-by: Jan Friedli <jan.friedli@immerda.ch> 2019-07-09 14:56:21 -07:00			`import os`
Add some tests 2018-12-16 20:36:02 +01:00
file removal background job 2020-03-27 10:59:16 -07:00			`from unittest.mock import patch`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`from flask_testing import TestCase`
file removal background job 2020-03-27 10:59:16 -07:00
Add some tests 2018-12-16 20:36:02 +01:00			`import main`


Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`class Mat2WebTestCase(TestCase):`
			`def create_app(self):`
added a docker dev environment Signed-off-by: Jan Friedli <jan.friedli@immerda.ch> 2019-07-09 14:56:21 -07:00			`os.environ.setdefault('MAT2_ALLOW_ORIGIN_WHITELIST', 'origin1.gnu origin2.gnu')`
			`self.upload_folder = tempfile.mkdtemp()`
Refactoring 2020-04-23 10:39:35 -07:00			`app = main.create_app(`
			`test_config={`
			`'TESTING': True,`
			`'UPLOAD_FOLDER': self.upload_folder`
			`}`
added a docker dev environment Signed-off-by: Jan Friedli <jan.friedli@immerda.ch> 2019-07-09 14:56:21 -07:00			`)`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`return app`
Add some tests 2018-12-16 20:36:02 +01:00
Add even more tests 2018-12-16 21:33:18 +01:00			`def tearDown(self):`
added a docker dev environment Signed-off-by: Jan Friedli <jan.friedli@immerda.ch> 2019-07-09 14:56:21 -07:00			`shutil.rmtree(self.upload_folder)`
Add even more tests 2018-12-16 21:33:18 +01:00
Add some tests 2018-12-16 20:36:02 +01:00			`def test_get_root(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.get('/')`
Add some tests 2018-12-16 20:36:02 +01:00			`self.assertIn(b'mat2-web', rv.data)`

Supported types are now directly provided by mat2 2018-12-16 21:47:25 +01:00			`def test_check_mimetypes(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.get('/')`
Improve the display of supported formats - Show the extension instead of the mimetype - Sort the results 2019-03-06 21:20:39 +01:00			`self.assertIn(b'.torrent', rv.data)`
			`self.assertIn(b'.ods', rv.data)`
Supported types are now directly provided by mat2 2018-12-16 21:47:25 +01:00
Add some tests 2018-12-16 20:36:02 +01:00			`def test_get_download_dangerous_file(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.get('/download/1337/aabb/\..\filename')`
Add some tests 2018-12-16 20:36:02 +01:00			`self.assertEqual(rv.status_code, 302)`

Mitigate filename-based race conditions 2019-02-22 21:17:48 +01:00			`def test_get_download_without_key_file(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.get('/download/non_existant')`
Mitigate filename-based race conditions 2019-02-22 21:17:48 +01:00			`self.assertEqual(rv.status_code, 404)`

			`def test_get_download_nonexistant_file(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.get('/download/1337/aabb/non_existant')`
Add some tests 2018-12-16 20:36:02 +01:00			`self.assertEqual(rv.status_code, 302)`

Add even more tests 2018-12-16 21:33:18 +01:00			`def test_get_upload_without_file(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.post('/')`
Add even more tests 2018-12-16 21:33:18 +01:00			`self.assertEqual(rv.status_code, 302)`

			`def test_get_upload_empty_file(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.post('/',`
Add even more tests 2018-12-16 21:33:18 +01:00			`data=dict(`
			`file=(io.BytesIO(b""), 'test.pdf'),`
			`), follow_redirects=False)`
			`self.assertEqual(rv.status_code, 302)`

Bugfix catch attribute errors and updated dependencies 2022-01-24 19:43:12 +00:00			`def test_get_upload_bad_file_type(self):`
			`rv = self.client.post('/',`
			`data=dict(`
			`file=(io.BytesIO(b"1,2,3 \n 4,5,6"), 'test.csv'),`
			`), follow_redirects=False)`
			`self.assertEqual(rv.status_code, 200)`
			`self.assertIn(b'The type text/csv could not be cleaned', rv.data)`

Add even more tests 2018-12-16 21:33:18 +01:00			`def test_get_upload_empty_file_redir(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.post('/',`
Add even more tests 2018-12-16 21:33:18 +01:00			`data=dict(`
			`file=(io.BytesIO(b""), 'test.pdf'),`
			`), follow_redirects=True)`
catch newly thrown ValueErrors on get_file_parser 2021-03-23 21:20:54 +01:00			`self.assertIn(b'The filetype is not supported',`
Add even more tests 2018-12-16 21:33:18 +01:00			`rv.data)`
			`self.assertEqual(rv.status_code, 200)`

file removal background job 2020-03-27 10:59:16 -07:00			`def test_get_upload_no_selected_file(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.post('/',`
file removal background job 2020-03-27 10:59:16 -07:00			`data=dict(`
			`file=(io.BytesIO(b""), ''),`
			`), follow_redirects=True)`
			`self.assertIn(b'No selected file',`
			`rv.data)`
			`self.assertEqual(rv.status_code, 200)`

			`def test_failed_cleaning(self):`
			`zip_file_bytes = base64.b64decode(`
			`'UEsDBBQACAAIAPicPE8AAAAAAAAAAAAAAAAXACAAZmFpbGluZy5ub3Qtd29ya2luZy1le'`
			`'HRVVA0AB+Saj13kmo9d5JqPXXV4CwABBOkDAAAE6QMAAAMAUEsHCAAAAAACAAAAAAAAAFBL'`
			`'AwQUAAgACAD6nDxPAAAAAAAAAAAAAAAACQAgAHRlc3QuanNvblVUDQAH6JqPXeiaj13omo9d'`
			`'dXgLAAEE6QMAAATpAwAAAwBQSwcIAAAAAAIAAAAAAAAAUEsBAhQDFAAIAAgA+Jw8TwAAAAACA'`
			`'AAAAAAAABcAIAAAAAAAAAAAAKSBAAAAAGZhaWxpbmcubm90LXdvcmtpbmctZXh0VVQNAAfkmo9'`
			`'d5JqPXeSaj111eAsAAQTpAwAABOkDAABQSwECFAMUAAgACAD6nDxPAAAAAAIAAAAAAAAACQAgA'`
			`'AAAAAAAAAAApIFnAAAAdGVzdC5qc29uVVQNAAfomo9d6JqPXeiaj111eAsAAQTpAwAABOkDAAB'`
			`'QSwUGAAAAAAIAAgC8AAAAwAAAAAAA'`
			`)`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.post('/',`
file removal background job 2020-03-27 10:59:16 -07:00			`data=dict(`
			`file=(io.BytesIO(zip_file_bytes), 'test.zip'),`
			`), follow_redirects=True)`
additional error handling 2020-03-31 21:18:39 +02:00			`self.assertIn(b'Unable to clean', rv.data)`
file removal background job 2020-03-27 10:59:16 -07:00			`self.assertEqual(rv.status_code, 200)`

Bump coverage 2018-12-16 21:41:23 +01:00			`def test_get_upload_no_file_name(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.post('/',`
Bump coverage 2018-12-16 21:41:23 +01:00			`data=dict(`
added a docker dev environment Signed-off-by: Jan Friedli <jan.friedli@immerda.ch> 2019-07-09 14:56:21 -07:00			`file=(io.BytesIO(b"aaa")),`
Bump coverage 2018-12-16 21:41:23 +01:00			`), follow_redirects=True)`
			`self.assertIn(b'No file part', rv.data)`
			`self.assertEqual(rv.status_code, 200)`

Add a test with a valid file 2018-12-16 21:37:15 +01:00			`def test_get_upload_harmless_file(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.post(`
			`'/',`
			`data=dict(`
			`file=(io.BytesIO(b"Some text"), 'test.txt'),`
			`),`
			`follow_redirects=True`
			`)`
			`download_uri = self.get_context_variable('download_uri')`
			`self.assertIn('/test.cleaned.txt', download_uri)`
Add a test with a valid file 2018-12-16 21:37:15 +01:00			`self.assertEqual(rv.status_code, 200)`
added a docker dev environment Signed-off-by: Jan Friedli <jan.friedli@immerda.ch> 2019-07-09 14:56:21 -07:00			`self.assertNotIn('Access-Control-Allow-Origin', rv.headers)`
Add a test with a valid file 2018-12-16 21:37:15 +01:00
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.get(download_uri)`
Add a test with a valid file 2018-12-16 21:37:15 +01:00			`self.assertEqual(rv.status_code, 200)`

Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.get(download_uri)`
Add a test with a valid file 2018-12-16 21:37:15 +01:00			`self.assertEqual(rv.status_code, 302)`

Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`def test_upload_wrong_hash_or_secret(self):`
			`rv = self.client.post(`
			`'/',`
			`data=dict(`
			`file=(io.BytesIO(b"Some text"), 'test.txt'),`
			`),`
			`follow_redirects=True`
			`)`

			`download_uri = self.get_context_variable('download_uri')`

			`self.assertIn('/test.cleaned.txt', download_uri)`
			`self.assertIn('/download', download_uri)`
added a docker dev environment Signed-off-by: Jan Friedli <jan.friedli@immerda.ch> 2019-07-09 14:56:21 -07:00			`self.assertEqual(rv.status_code, 200)`

Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`uri_parts = download_uri.split("/")`
			`self.assertEqual(len(uri_parts[2]), len(uri_parts[3]))`
			`self.assertEqual(64, len(uri_parts[2]))`

			`key_uri_parts = uri_parts`
			`key_uri_parts[2] = '70623619c'`
			`rv = self.client.get("/".join(key_uri_parts))`
			`self.assertEqual(rv.status_code, 302)`

			`key_uri_parts = uri_parts`
			`key_uri_parts[3] = '70623619c'`
			`rv = self.client.get("/".join(key_uri_parts))`
added a docker dev environment Signed-off-by: Jan Friedli <jan.friedli@immerda.ch> 2019-07-09 14:56:21 -07:00			`self.assertEqual(rv.status_code, 302)`

Refactoring 2020-04-23 10:39:35 -07:00			`@patch('matweb.file_removal_scheduler.random.randint')`
file removal background job 2020-03-27 10:59:16 -07:00			`def test_upload_leftover(self, randint_mock):`
			`randint_mock.return_value = 0`
			`os.environ['MAT2_MAX_FILE_AGE_FOR_REMOVAL'] = '0'`
			`app = main.create_app()`
			`self.upload_folder = tempfile.mkdtemp()`
			`app.config.update(`
			`TESTING=True,`
			`UPLOAD_FOLDER=self.upload_folder`
			`)`
			`app = app.test_client()`

Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`request = self.client.post('/',`
file removal background job 2020-03-27 10:59:16 -07:00			`data=dict(`
			`file=(io.BytesIO(b"Some text"), 'test.txt'),`
			`), follow_redirects=True)`
			`self.assertEqual(request.status_code, 200)`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00
			`request = app.get(self.get_context_variable('download_uri'))`
file removal background job 2020-03-27 10:59:16 -07:00			`self.assertEqual(302, request.status_code)`
added new property which indicates the remaining download time in secs 2020-05-15 14:38:13 +02:00			`os.environ['MAT2_MAX_FILE_AGE_FOR_REMOVAL'] = str(15*60)`
file removal background job 2020-03-27 10:59:16 -07:00
added a very basic test for the info page 2020-04-13 23:02:55 +02:00			`def test_info_page(self):`
Resolve "Use a HMAC instead of a hash" 2020-04-26 09:50:14 -07:00			`rv = self.client.get('/info')`
added a very basic test for the info page 2020-04-13 23:02:55 +02:00			`self.assertIn(b'What are metadata?', rv.data)`
Removed .asc assertion in supported extensions list 2021-01-29 02:40:42 -08:00			`self.assertIn(b'.jpg', rv.data)`
added a very basic test for the info page 2020-04-13 23:02:55 +02:00			`self.assertIn(b'.mp2', rv.data)`
			`self.assertEqual(rv.status_code, 200)`

Added Non-Ascii filename support 2025-01-12 12:11:06 +00:00			`def test_get_upload_no_ascii_no_ext_input(self):`
Resolve "Fuzzing Errors /api/upload" 2020-05-08 09:10:18 -07:00			`rv = self.client.post(`
			`'/',`
			`data=dict(`
Added Non-Ascii filename support 2025-01-12 12:11:06 +00:00			`file=(io.BytesIO(b"a"), '﷽.txt'),`
Resolve "Fuzzing Errors /api/upload" 2020-05-08 09:10:18 -07:00			`),`
			`follow_redirects=True`
			`)`
			`self.assertEqual(rv.status_code, 200)`
Added Non-Ascii filename support 2025-01-12 12:11:06 +00:00			`self.assertIn(b'.cleaned.txt', rv.data)`
Resolve "Fuzzing Errors /api/upload" 2020-05-08 09:10:18 -07:00
Added Non-Ascii filename support 2025-01-12 12:11:06 +00:00			`def test_get_upload_no_ascii_stem_input(self):`
			`pdfBytes = b"%PDF-1.\n 1 0 obj<</Pages 2 0 R>>endobj\n2 0 obj<</Kids[3 0 R]/Count 1>>endobj\n3 0 obj<</Parent 2 0 R>>endobj\ntrailer <</Root 1 0 R>>"`
			`rv = self.client.post(`
			`'/',`
			`data=dict(`
			`file=(io.BytesIO(pdfBytes), '한국어.pdf'),`
			`),`
			`follow_redirects=True`
			`)`
			`self.assertEqual(rv.status_code, 200)`
			`self.assertIn(b'.cleaned.pdf', rv.data)`
Resolve "Fuzzing Errors /api/upload" 2020-05-08 09:10:18 -07:00
Add some tests 2018-12-16 20:36:02 +01:00			`if __name__ == '__main__':`
			`unittest.main()`