mirror of
https://github.com/getpelican/pelican.git
synced 2025-10-15 20:28:56 +02:00
Merge pull request #2099 from horazont/feature/stop-save_as-from-breaking-out-of-output
Try to prevent writing outside of the output directory
This commit is contained in:
commit
ee643d47d7
5 changed files with 105 additions and 6 deletions
|
|
@ -497,6 +497,30 @@ class TestArticle(TestPage):
|
|||
article = Article(**article_kwargs)
|
||||
self.assertEqual(article.url, 'fedora.qa/this-week-in-fedora-qa/')
|
||||
|
||||
def test_valid_save_as_detects_breakout(self):
|
||||
settings = get_settings()
|
||||
article_kwargs = self._copy_page_kwargs()
|
||||
article_kwargs['metadata']['slug'] = '../foo'
|
||||
article_kwargs['settings'] = settings
|
||||
article = Article(**article_kwargs)
|
||||
self.assertFalse(article.valid_save_as())
|
||||
|
||||
def test_valid_save_as_detects_breakout_to_root(self):
|
||||
settings = get_settings()
|
||||
article_kwargs = self._copy_page_kwargs()
|
||||
article_kwargs['metadata']['slug'] = '/foo'
|
||||
article_kwargs['settings'] = settings
|
||||
article = Article(**article_kwargs)
|
||||
self.assertFalse(article.valid_save_as())
|
||||
|
||||
def test_valid_save_as_passes_valid(self):
|
||||
settings = get_settings()
|
||||
article_kwargs = self._copy_page_kwargs()
|
||||
article_kwargs['metadata']['slug'] = 'foo'
|
||||
article_kwargs['settings'] = settings
|
||||
article = Article(**article_kwargs)
|
||||
self.assertTrue(article.valid_save_as())
|
||||
|
||||
|
||||
class TestStatic(LoggedTestCase):
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ from tempfile import mkdtemp
|
|||
|
||||
import pytz
|
||||
|
||||
import six
|
||||
|
||||
from pelican import utils
|
||||
from pelican.generators import TemplatePagesGenerator
|
||||
from pelican.settings import read_settings
|
||||
|
|
@ -666,3 +668,34 @@ class TestDateFormatter(unittest.TestCase):
|
|||
with utils.pelican_open(output_path) as output_file:
|
||||
self.assertEqual(output_file,
|
||||
utils.strftime(self.date, 'date = %A, %d %B %Y'))
|
||||
|
||||
|
||||
class TestSanitisedJoin(unittest.TestCase):
|
||||
def test_detect_parent_breakout(self):
|
||||
with six.assertRaisesRegex(
|
||||
self,
|
||||
RuntimeError,
|
||||
"Attempted to break out of output directory to /foo/test"):
|
||||
utils.sanitised_join(
|
||||
"/foo/bar",
|
||||
"../test"
|
||||
)
|
||||
|
||||
def test_detect_root_breakout(self):
|
||||
with six.assertRaisesRegex(
|
||||
self,
|
||||
RuntimeError,
|
||||
"Attempted to break out of output directory to /test"):
|
||||
utils.sanitised_join(
|
||||
"/foo/bar",
|
||||
"/test"
|
||||
)
|
||||
|
||||
def test_pass_deep_subpaths(self):
|
||||
self.assertEqual(
|
||||
utils.sanitised_join(
|
||||
"/foo/bar",
|
||||
"test"
|
||||
),
|
||||
os.path.join("/foo/bar", "test")
|
||||
)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue