arno
/
gns3-server
mirror of https://github.com/GNS3/gns3-server
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #1188 from GNS3/fix-post-file-normalization

Browse Source 
Fixes path normalization during file upload on nodes (Fixes: #2276)
pull/1192/head
Jeremy Grossmann 7 years ago committed by GitHub
parent 9619827f44 be35ad6874
commit 67c78ba2e3
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File

3
gns3server/handlers/api/controller/node_handler.py
Unescape View File

@ -367,6 +367,7 @@ class NodeHandler:
path = request.match_info["path"]
path = force_unix_path(path)
# Raise error if user try to escape
if path[0] == ".":
raise aiohttp.web.HTTPForbidden
@ -401,7 +402,7 @@ class NodeHandler:
project = yield from Controller.instance().get_loaded_project(request.match_info["project_id"])
node = project.get_node(request.match_info["node_id"])
path = request.match_info["path"]
path = os.path.normpath(path)
path = force_unix_path(path)
# Raise error if user try to escape
if path[0] == ".":

17
tests/handlers/api/controller/test_node.py
Unescape View File

@ -258,3 +258,20 @@ def test_post_file(http_controller, tmpdir, project, node, compute):
response = http_controller.get("/projects/{project_id}/nodes/{node_id}/files/../hello".format(project_id=project.id, node_id=node.id), raw=True)
assert response.status == 404
def test_get_and_post_with_nested_paths_normalization(http_controller, tmpdir, project, node, compute):
response = MagicMock()
response.body = b"world"
compute.http_query = AsyncioMagicMock(return_value=response)
response = http_controller.get("/projects/{project_id}/nodes/{node_id}/files/hello\\nested".format(project_id=project.id, node_id=node.id), raw=True)
assert response.status == 200
assert response.body == b'world'
compute.http_query.assert_called_with("GET", "/projects/{project_id}/files/project-files/vpcs/{node_id}/hello/nested".format(project_id=project.id, node_id=node.id), timeout=None, raw=True)
compute.http_query = AsyncioMagicMock()
response = http_controller.post("/projects/{project_id}/nodes/{node_id}/files/hello\\nested".format(project_id=project.id, node_id=node.id), body=b"hello", raw=True)
assert response.status == 201
compute.http_query.assert_called_with("POST", "/projects/{project_id}/files/project-files/vpcs/{node_id}/hello/nested".format(project_id=project.id, node_id=node.id), data=b'hello', timeout=None, raw=True)

Write Preview
Loading…
Cancel
Save