Hello! We are running our annual fundraising. Please consider making a donation if you value this freely available service or want to support people around the world working towards liberatory social change. https://riseup.net/donate.

Verified Commit a60a0c84 authored by jfriedli's avatar jfriedli
Browse files

validate bulk body is parsable

parent 0219faa0
Pipeline #64586 passed with stages
in 12 minutes and 28 seconds
......@@ -7,7 +7,7 @@ from uuid import uuid4
from flask import after_this_request, send_from_directory, Blueprint, current_app
from flask_restful import Resource, reqparse, abort, request, url_for, Api
from cerberus import Validator
from cerberus import Validator, DocumentError
from werkzeug.datastructures import FileStorage
from flasgger import swag_from
......@@ -157,9 +157,13 @@ class APIBulkDownloadCreator(Resource):
if not data:
abort(400, message="Post Body Required")
current_app.logger.error('BulkDownload - Missing Post Body')
if not self.v.validate(data):
current_app.logger.error('BulkDownload - Missing Post Body: %s', str(self.v.errors))
abort(400, message=self.v.errors)
try:
if not self.v.validate(data):
current_app.logger.error('BulkDownload - Missing Post Body: %s', str(self.v.errors))
abort(400, message=self.v.errors)
except DocumentError as e:
abort(400, message="Invalid Post Body")
current_app.logger.error('BulkDownload - Invalid Post Body: %s', str(e))
# prevent the zip file from being overwritten
zip_filename = 'files.' + str(uuid4()) + '.zip'
zip_path = os.path.join(current_app.config['UPLOAD_FOLDER'], zip_filename)
......
......@@ -413,6 +413,24 @@ class Mat2APITestCase(unittest.TestCase):
request = app.get(download_link)
self.assertEqual(code, request.status_code)
def test_download_naughty_input(self):
request = self.app.get(
'/api/download/%F2%8C%BF%BD%F1%AE%98%A3%E4%B7%B8%F2%9B%94%BE%F2%A7%8B%83%F1%B1%80%9F%F3%AA%89%A6/1p/str'
)
error_message = request.get_json()['message']
self.assertEqual(404, request.status_code)
self.assertEqual("File not found", error_message)
def test_download_bulk_naughty_input(self):
request = self.app.post(
'/api/download/bulk',
data='\"\'\'\'&type %SYSTEMROOT%\\\\win.ini\"',
headers={'content-type': 'application/json'}
)
error_message = request.get_json()['message']
self.assertEqual(400, request.status_code)
self.assertEqual("Invalid Post Body", error_message)
def test_upload_naughty_input(self):
request = self.app.post('/api/upload',
data='{"file_name": "\\\\", '
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment