From caade47e16ad98eef9cecfbfcc4ff897e0b4c700 Mon Sep 17 00:00:00 2001 From: Julien Duponchelle Date: Tue, 10 Nov 2015 15:21:10 +0100 Subject: [PATCH] Fix tests about images paths security --- gns3server/modules/base_manager.py | 4 ++-- tests/handlers/api/test_iou.py | 2 +- tests/handlers/api/test_qemu.py | 8 +++---- tests/modules/iou/test_iou_vm.py | 34 ++++++++++++++++-------------- tests/modules/qemu/test_qemu_vm.py | 16 +++++++------- 5 files changed, 33 insertions(+), 31 deletions(-) diff --git a/gns3server/modules/base_manager.py b/gns3server/modules/base_manager.py index 65afda8c..89aea063 100644 --- a/gns3server/modules/base_manager.py +++ b/gns3server/modules/base_manager.py @@ -417,9 +417,9 @@ class BaseManager: else: # For non local server we disallow using absolute path outside image directory if Config.instance().get_section_config("Server").get("local", False) is False: - img_directory = self.config.get_section_config("Server").get("images_path", "~/GNS3/images") + img_directory = self.config.get_section_config("Server").get("images_path", os.path.expanduser("~/GNS3/images")) if len(os.path.commonprefix([img_directory, path])) < len(img_directory): - raise VMError("%s is not allowed on this remote server. Please use only the image filename.".format(path)) + raise VMError("{} is not allowed on this remote server. Please use only a filename in {}.".format(path, img_directory)) return force_unix_path(path) diff --git a/tests/handlers/api/test_iou.py b/tests/handlers/api/test_iou.py index 7f9845b4..9b8f137c 100644 --- a/tests/handlers/api/test_iou.py +++ b/tests/handlers/api/test_iou.py @@ -42,7 +42,7 @@ def fake_iou_bin(tmpdir): @pytest.fixture def base_params(tmpdir, fake_iou_bin): """Return standard parameters""" - return {"name": "PC TEST 1", "path": fake_iou_bin} + return {"name": "PC TEST 1", "path": "iou.bin"} @pytest.fixture diff --git a/tests/handlers/api/test_qemu.py b/tests/handlers/api/test_qemu.py index b6b7199a..4dbf6dea 100644 --- a/tests/handlers/api/test_qemu.py +++ b/tests/handlers/api/test_qemu.py @@ -82,7 +82,7 @@ def test_qemu_create_platform(server, project, base_params, fake_qemu_bin): def test_qemu_create_with_params(server, project, base_params, fake_qemu_vm): params = base_params params["ram"] = 1024 - params["hda_disk_image"] = fake_qemu_vm + params["hda_disk_image"] = "linux.img" response = server.post("/projects/{project_id}/qemu/vms".format(project_id=project.id), params, example=True) assert response.status == 201 @@ -90,7 +90,7 @@ def test_qemu_create_with_params(server, project, base_params, fake_qemu_vm): assert response.json["name"] == "PC TEST 1" assert response.json["project_id"] == project.id assert response.json["ram"] == 1024 - assert response.json["hda_disk_image"] == fake_qemu_vm + assert response.json["hda_disk_image"] == "linux.img" def test_qemu_get(server, project, vm): @@ -149,13 +149,13 @@ def test_qemu_update(server, vm, tmpdir, free_console_port, project, fake_qemu_v "name": "test", "console": free_console_port, "ram": 1024, - "hdb_disk_image": fake_qemu_vm + "hdb_disk_image": "linux.img" } response = server.put("/projects/{project_id}/qemu/vms/{vm_id}".format(project_id=vm["project_id"], vm_id=vm["vm_id"]), params, example=True) assert response.status == 200 assert response.json["name"] == "test" assert response.json["console"] == free_console_port - assert response.json["hdb_disk_image"] == fake_qemu_vm + assert response.json["hdb_disk_image"] == "linux.img" assert response.json["ram"] == 1024 diff --git a/tests/modules/iou/test_iou_vm.py b/tests/modules/iou/test_iou_vm.py index 4b1f7f2c..6a4503ea 100644 --- a/tests/modules/iou/test_iou_vm.py +++ b/tests/modules/iou/test_iou_vm.py @@ -58,7 +58,7 @@ def vm(project, manager, tmpdir, fake_iou_bin, iourc_file): config["iourc_path"] = iourc_file manager.config.set_section_config("IOU", config) - vm.path = fake_iou_bin + vm.path = "iou.bin" return vm @@ -101,7 +101,7 @@ def test_vm_startup_config_content(project, manager): def test_vm_invalid_iouyap_path(project, manager, loop, fake_iou_bin): with pytest.raises(IOUError): vm = IOUVM("test", "00010203-0405-0607-0809-0a0b0c0d0e0e", project, manager) - vm.path = fake_iou_bin + vm.path = "iou.bin" loop.run_until_complete(asyncio.async(vm.start())) @@ -207,9 +207,9 @@ def test_close(vm, port_manager, loop): def test_path(vm, fake_iou_bin): - - vm.path = fake_iou_bin - assert vm.path == fake_iou_bin + with patch("gns3server.config.Config.get_section_config", return_value={"local": True}): + vm.path = fake_iou_bin + assert vm.path == fake_iou_bin def test_path_12_location(vm, fake_iou_bin): @@ -217,8 +217,9 @@ def test_path_12_location(vm, fake_iou_bin): # In 1.2 users uploaded images to the images roots # after the migration their images are inside images/IOU # but old topologies use old path - vm.path = fake_iou_bin.replace("/IOU", "") - assert vm.path == fake_iou_bin + with patch("gns3server.config.Config.get_section_config", return_value={"local": True}): + vm.path = fake_iou_bin.replace("/IOU", "") + assert vm.path == fake_iou_bin def test_path_relative(vm, fake_iou_bin, tmpdir): @@ -231,17 +232,18 @@ def test_path_relative(vm, fake_iou_bin, tmpdir): def test_path_invalid_bin(vm, tmpdir): - path = str(tmpdir / "test.bin") - with pytest.raises(IOUError): - vm.path = path - vm._check_requirements() + with patch("gns3server.config.Config.get_section_config", return_value={"local": True}): + path = str(tmpdir / "test.bin") + with pytest.raises(IOUError): + vm.path = path + vm._check_requirements() - with open(path, "w+") as f: - f.write("BUG") + with open(path, "w+") as f: + f.write("BUG") - with pytest.raises(IOUError): - vm.path = path - vm._check_requirements() + with pytest.raises(IOUError): + vm.path = path + vm._check_requirements() def test_create_netmap_config(vm): diff --git a/tests/modules/qemu/test_qemu_vm.py b/tests/modules/qemu/test_qemu_vm.py index 855e1cc2..d2dbbe2d 100644 --- a/tests/modules/qemu/test_qemu_vm.py +++ b/tests/modules/qemu/test_qemu_vm.py @@ -387,8 +387,8 @@ def test_hda_disk_image(vm, tmpdir): vm.manager.config.set("Server", "images_path", str(tmpdir)) - vm.hda_disk_image = "/tmp/test" - assert vm.hda_disk_image == "/tmp/test" + vm.hda_disk_image = str(tmpdir / "test") + assert vm.hda_disk_image == str(tmpdir / "test") vm.hda_disk_image = "test" assert vm.hda_disk_image == str(tmpdir / "QEMU" / "test") @@ -405,8 +405,8 @@ def test_hdb_disk_image(vm, tmpdir): vm.manager.config.set("Server", "images_path", str(tmpdir)) - vm.hdb_disk_image = "/tmp/test" - assert vm.hdb_disk_image == "/tmp/test" + vm.hdb_disk_image = str(tmpdir / "test") + assert vm.hdb_disk_image == str(tmpdir / "test") vm.hdb_disk_image = "test" assert vm.hdb_disk_image == str(tmpdir / "QEMU" / "test") @@ -415,8 +415,8 @@ def test_hdc_disk_image(vm, tmpdir): vm.manager.config.set("Server", "images_path", str(tmpdir)) - vm.hdc_disk_image = "/tmp/test" - assert vm.hdc_disk_image == "/tmp/test" + vm.hdc_disk_image = str(tmpdir / "test") + assert vm.hdc_disk_image == str(tmpdir / "test") vm.hdc_disk_image = "test" assert vm.hdc_disk_image == str(tmpdir / "QEMU" / "test") @@ -425,8 +425,8 @@ def test_hdd_disk_image(vm, tmpdir): vm.manager.config.set("Server", "images_path", str(tmpdir)) - vm.hdd_disk_image = "/tmp/test" - assert vm.hdd_disk_image == "/tmp/test" + vm.hdd_disk_image = str(tmpdir / "test") + assert vm.hdd_disk_image == str(tmpdir / "test") vm.hdd_disk_image = "test" assert vm.hdd_disk_image == str(tmpdir / "QEMU" / "test")