Git-Mirrors/mat2-web
1
0
Fork 0
mirror of https://0xacab.org/jvoisin/mat2-web.git synced 2025-02-23 08:39:57 -05:00
Code Issues Packages Projects Releases Wiki Activity

validate bulk body is parsable

Browse Source
This commit is contained in:
jfriedli 2021-08-23 20:56:49 +02:00
parent 0219faa020
commit a60a0c845f
No known key found for this signature in database
GPG Key ID: B0C0A4C9085372B7
2 changed files with 26 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
matweb/rest_api.py
View File

@ -7,7 +7,7 @@ from uuid import uuid4
from flask import after_this_request, send_from_directory, Blueprint, current_app from flask import after_this_request, send_from_directory, Blueprint, current_app
from flask_restful import Resource, reqparse, abort, request, url_for, Api from flask_restful import Resource, reqparse, abort, request, url_for, Api
from cerberus import Validator from cerberus import Validator, DocumentError
from werkzeug.datastructures import FileStorage from werkzeug.datastructures import FileStorage
from flasgger import swag_from from flasgger import swag_from
@ -157,9 +157,13 @@ class APIBulkDownloadCreator(Resource):
if not data: if not data:
abort(400, message="Post Body Required") abort(400, message="Post Body Required")
current_app.logger.error('BulkDownload - Missing Post Body') current_app.logger.error('BulkDownload - Missing Post Body')
if not self.v.validate(data): try:
current_app.logger.error('BulkDownload - Missing Post Body: %s', str(self.v.errors)) if not self.v.validate(data):
abort(400, message=self.v.errors) current_app.logger.error('BulkDownload - Missing Post Body: %s', str(self.v.errors))
abort(400, message=self.v.errors)
except DocumentError as e:
abort(400, message="Invalid Post Body")
current_app.logger.error('BulkDownload - Invalid Post Body: %s', str(e))
# prevent the zip file from being overwritten # prevent the zip file from being overwritten
zip_filename = 'files.' + str(uuid4()) + '.zip' zip_filename = 'files.' + str(uuid4()) + '.zip'
zip_path = os.path.join(current_app.config['UPLOAD_FOLDER'], zip_filename) zip_path = os.path.join(current_app.config['UPLOAD_FOLDER'], zip_filename)

18
test/test_api.py
View File

@ -413,6 +413,24 @@ class Mat2APITestCase(unittest.TestCase):
request = app.get(download_link) request = app.get(download_link)
self.assertEqual(code, request.status_code) self.assertEqual(code, request.status_code)
def test_download_naughty_input(self):
request = self.app.get(
'/api/download/%F2%8C%BF%BD%F1%AE%98%A3%E4%B7%B8%F2%9B%94%BE%F2%A7%8B%83%F1%B1%80%9F%F3%AA%89%A6/1p/str'
)
error_message = request.get_json()['message']
self.assertEqual(404, request.status_code)
self.assertEqual("File not found", error_message)
def test_download_bulk_naughty_input(self):
request = self.app.post(
'/api/download/bulk',
data='\"\'\'\'&type %SYSTEMROOT%\\\\win.ini\"',
headers={'content-type': 'application/json'}
)
error_message = request.get_json()['message']
self.assertEqual(400, request.status_code)
self.assertEqual("Invalid Post Body", error_message)
def test_upload_naughty_input(self): def test_upload_naughty_input(self):
request = self.app.post('/api/upload', request = self.app.post('/api/upload',
data='{"file_name": "\\\\", ' data='{"file_name": "\\\\", '