diff --git a/gns3server/api/routes/compute/images.py b/gns3server/api/routes/compute/images.py
index b5103aaf..e556c1d3 100644
--- a/gns3server/api/routes/compute/images.py
+++ b/gns3server/api/routes/compute/images.py
@@ -69,13 +69,15 @@ async def download_dynamips_image(filename: str) -> FileResponse:
Download a Dynamips IOS image.
"""
- dynamips_manager = Dynamips.instance()
filename = urllib.parse.unquote(filename)
- image_path = dynamips_manager.get_abs_image_path(filename)
- if filename[0] == ".":
+ # Raise error if user try to escape
+ if filename[0] == "." or os.path.sep in filename:
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
+ dynamips_manager = Dynamips.instance()
+ image_path = dynamips_manager.get_abs_image_path(filename)
+
if not os.path.exists(image_path):
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
@@ -108,13 +110,14 @@ async def download_iou_image(filename: str) -> FileResponse:
Download an IOU image.
"""
- iou_manager = IOU.instance()
filename = urllib.parse.unquote(filename)
- image_path = iou_manager.get_abs_image_path(filename)
- if filename[0] == ".":
+ # Raise error if user try to escape
+ if filename[0] == "." or os.path.sep in filename:
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
+ iou_manager = IOU.instance()
+ image_path = iou_manager.get_abs_image_path(filename)
if not os.path.exists(image_path):
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
@@ -138,13 +141,13 @@ async def upload_qemu_image(filename: str, request: Request) -> None:
@router.get("/qemu/images/{filename:path}")
async def download_qemu_image(filename: str) -> FileResponse:
- qemu_manager = Qemu.instance()
filename = urllib.parse.unquote(filename)
# Raise error if user try to escape
- if filename[0] == ".":
+ if filename[0] == "." or os.path.sep in filename:
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
+ qemu_manager = Qemu.instance()
image_path = qemu_manager.get_abs_image_path(filename)
if not os.path.exists(image_path):
diff --git a/gns3server/api/routes/compute/projects.py b/gns3server/api/routes/compute/projects.py
index 8d9fe3b8..f91026b2 100644
--- a/gns3server/api/routes/compute/projects.py
+++ b/gns3server/api/routes/compute/projects.py
@@ -32,6 +32,7 @@ from uuid import UUID
from gns3server.compute.project_manager import ProjectManager
from gns3server.compute.project import Project
+from gns3server.utils.path import is_safe_path
from gns3server import schemas
@@ -200,7 +201,7 @@ async def get_compute_project_file(file_path: str, project: Project = Depends(de
path = os.path.normpath(file_path)
# Raise error if user try to escape
- if path[0] == ".":
+ if not is_safe_path(path, project.path):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
path = os.path.join(project.path, path)
@@ -216,7 +217,7 @@ async def write_compute_project_file(file_path: str, request: Request, project:
path = os.path.normpath(file_path)
# Raise error if user try to escape
- if path[0] == ".":
+ if not is_safe_path(path, project.path):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
path = os.path.join(project.path, path)
diff --git a/gns3server/api/routes/controller/nodes.py b/gns3server/api/routes/controller/nodes.py
index 899e9a31..3016d84f 100644
--- a/gns3server/api/routes/controller/nodes.py
+++ b/gns3server/api/routes/controller/nodes.py
@@ -305,11 +305,11 @@ async def get_file(file_path: str, node: Node = Depends(dep_node)) -> Response:
path = f"/project-files/{node_type}/{node.id}/{path}"
res = await node.compute.http_query("GET", f"/projects/{node.project.id}/files{path}", timeout=None, raw=True)
- return Response(res.body, media_type="application/octet-stream")
+ return Response(res.body, media_type="application/octet-stream", status_code=res.status)
@router.post("/{node_id}/files/{file_path:path}", status_code=status.HTTP_201_CREATED)
-async def post_file(file_path: str, request: Request, node: Node = Depends(dep_node)) -> dict:
+async def post_file(file_path: str, request: Request, node: Node = Depends(dep_node)):
"""
Write a file in the node directory.
"""
@@ -324,8 +324,8 @@ async def post_file(file_path: str, request: Request, node: Node = Depends(dep_n
path = f"/project-files/{node_type}/{node.id}/{path}"
data = await request.body() # FIXME: are we handling timeout or large files correctly?
-
await node.compute.http_query("POST", f"/projects/{node.project.id}/files{path}", data=data, timeout=None, raw=True)
+ # FIXME: response with correct status code (from compute)
@router.websocket("/{node_id}/console/ws")
diff --git a/gns3server/api/routes/controller/projects.py b/gns3server/api/routes/controller/projects.py
index c8936f5f..e0c776bb 100644
--- a/gns3server/api/routes/controller/projects.py
+++ b/gns3server/api/routes/controller/projects.py
@@ -44,6 +44,7 @@ from gns3server.controller.controller_error import ControllerError, ControllerFo
from gns3server.controller.import_project import import_project as import_controller_project
from gns3server.controller.export_project import export_project as export_controller_project
from gns3server.utils.asyncio import aiozipstream
+from gns3server.utils.path import is_safe_path
from gns3server.config import Config
responses = {404: {"model": schemas.ErrorMessage, "description": "Could not find project"}}
@@ -371,7 +372,7 @@ async def get_file(file_path: str, project: Project = Depends(dep_project)) -> F
path = os.path.normpath(file_path).strip("/")
# Raise error if user try to escape
- if path[0] == ".":
+ if not is_safe_path(path, project.path):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
path = os.path.join(project.path, path)
@@ -390,7 +391,7 @@ async def write_file(file_path: str, request: Request, project: Project = Depend
path = os.path.normpath(file_path).strip("/")
# Raise error if user try to escape
- if path[0] == ".":
+ if not is_safe_path(path, project.path):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
path = os.path.join(project.path, path)
diff --git a/gns3server/handlers/api/compute/dynamips_vm_handler.py b/gns3server/handlers/api/compute/dynamips_vm_handler.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/gns3server/handlers/api/compute/iou_handler.py b/gns3server/handlers/api/compute/iou_handler.py
deleted file mode 100644
index 9a6649fc..00000000
--- a/gns3server/handlers/api/compute/iou_handler.py
+++ /dev/null
@@ -1,468 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright (C) 2015 GNS3 Technologies Inc.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-import os
-
-import aiohttp.web
-
-from gns3server.web.route import Route
-from gns3server.schemas.nio import NIO_SCHEMA
-from gns3server.compute.iou import IOU
-
-from gns3server.schemas.node import (
- NODE_CAPTURE_SCHEMA,
- NODE_LIST_IMAGES_SCHEMA,
-)
-
-from gns3server.schemas.iou import (
- IOU_CREATE_SCHEMA,
- IOU_START_SCHEMA,
- IOU_OBJECT_SCHEMA
-)
-
-
-class IOUHandler:
-
- """
- API entry points for IOU.
- """
-
- @Route.post(
- r"/projects/{project_id}/iou/nodes",
- parameters={
- "project_id": "Project UUID"
- },
- status_codes={
- 201: "Instance created",
- 400: "Invalid request",
- 409: "Conflict"
- },
- description="Create a new IOU instance",
- input=IOU_CREATE_SCHEMA,
- output=IOU_OBJECT_SCHEMA)
- async def create(request, response):
-
- iou = IOU.instance()
- vm = await iou.create_node(request.json.pop("name"),
- request.match_info["project_id"],
- request.json.get("node_id"),
- application_id=request.json.get("application_id"),
- path=request.json.get("path"),
- console=request.json.get("console"),
- console_type=request.json.get("console_type", "telnet"))
-
- for name, value in request.json.items():
- if hasattr(vm, name) and getattr(vm, name) != value:
- if name == "application_id":
- continue # we must ignore this to avoid overwriting the application_id allocated by the controller
- if name == "startup_config_content" and (vm.startup_config_content and len(vm.startup_config_content) > 0):
- continue
- if name == "private_config_content" and (vm.private_config_content and len(vm.private_config_content) > 0):
- continue
- if request.json.get("use_default_iou_values") and (name == "ram" or name == "nvram"):
- continue
- setattr(vm, name, value)
- response.set_status(201)
- response.json(vm)
-
- @Route.get(
- r"/projects/{project_id}/iou/nodes/{node_id}",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID"
- },
- status_codes={
- 200: "Success",
- 400: "Invalid request",
- 404: "Instance doesn't exist"
- },
- description="Get an IOU instance",
- output=IOU_OBJECT_SCHEMA)
- def show(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
- response.json(vm)
-
- @Route.put(
- r"/projects/{project_id}/iou/nodes/{node_id}",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID"
- },
- status_codes={
- 200: "Instance updated",
- 400: "Invalid request",
- 404: "Instance doesn't exist",
- 409: "Conflict"
- },
- description="Update an IOU instance",
- input=IOU_OBJECT_SCHEMA,
- output=IOU_OBJECT_SCHEMA)
- async def update(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
-
- for name, value in request.json.items():
- if hasattr(vm, name) and getattr(vm, name) != value:
- if name == "application_id":
- continue # we must ignore this to avoid overwriting the application_id allocated by the IOU manager
- setattr(vm, name, value)
-
- if vm.use_default_iou_values:
- # update the default IOU values in case the image or use_default_iou_values have changed
- # this is important to have the correct NVRAM amount in order to correctly push the configs to the NVRAM
- await vm.update_default_iou_values()
- vm.updated()
- response.json(vm)
-
- @Route.delete(
- r"/projects/{project_id}/iou/nodes/{node_id}",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID"
- },
- status_codes={
- 204: "Instance deleted",
- 400: "Invalid request",
- 404: "Instance doesn't exist"
- },
- description="Delete an IOU instance")
- async def delete(request, response):
-
- await IOU.instance().delete_node(request.match_info["node_id"])
- response.set_status(204)
-
- @Route.post(
- r"/projects/{project_id}/iou/nodes/{node_id}/duplicate",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID"
- },
- status_codes={
- 201: "Instance duplicated",
- 404: "Instance doesn't exist"
- },
- description="Duplicate a IOU instance")
- async def duplicate(request, response):
-
- new_node = await IOU.instance().duplicate_node(
- request.match_info["node_id"],
- request.json["destination_node_id"]
- )
- response.set_status(201)
- response.json(new_node)
-
- @Route.post(
- r"/projects/{project_id}/iou/nodes/{node_id}/start",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID"
- },
- status_codes={
- 200: "Instance started",
- 400: "Invalid request",
- 404: "Instance doesn't exist"
- },
- input=IOU_START_SCHEMA,
- output=IOU_OBJECT_SCHEMA,
- description="Start an IOU instance")
- async def start(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
-
- for name, value in request.json.items():
- if hasattr(vm, name) and getattr(vm, name) != value:
- setattr(vm, name, value)
-
- await vm.start()
- response.json(vm)
-
- @Route.post(
- r"/projects/{project_id}/iou/nodes/{node_id}/stop",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID"
- },
- status_codes={
- 204: "Instance stopped",
- 400: "Invalid request",
- 404: "Instance doesn't exist"
- },
- description="Stop an IOU instance")
- async def stop(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
- await vm.stop()
- response.set_status(204)
-
- @Route.post(
- r"/projects/{project_id}/iou/nodes/{node_id}/suspend",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID"
- },
- status_codes={
- 204: "Instance suspended",
- 400: "Invalid request",
- 404: "Instance doesn't exist"
- },
- description="Suspend an IOU instance (does nothing)")
- def suspend(request, response):
-
- iou_manager = IOU.instance()
- iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
- response.set_status(204)
-
- @Route.post(
- r"/projects/{project_id}/iou/nodes/{node_id}/reload",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID",
- },
- status_codes={
- 204: "Instance reloaded",
- 400: "Invalid request",
- 404: "Instance doesn't exist"
- },
- description="Reload an IOU instance")
- async def reload(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
- await vm.reload()
- response.set_status(204)
-
- @Route.post(
- r"/projects/{project_id}/iou/nodes/{node_id}/adapters/{adapter_number:\d+}/ports/{port_number:\d+}/nio",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID",
- "adapter_number": "Network adapter where the nio is located",
- "port_number": "Port where the nio should be added"
- },
- status_codes={
- 201: "NIO created",
- 400: "Invalid request",
- 404: "Instance doesn't exist"
- },
- description="Add a NIO to a IOU instance",
- input=NIO_SCHEMA,
- output=NIO_SCHEMA)
- async def create_nio(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
- nio_type = request.json["type"]
- if nio_type not in ("nio_udp", "nio_tap", "nio_ethernet", "nio_generic_ethernet"):
- raise aiohttp.web.HTTPConflict(text="NIO of type {} is not supported".format(nio_type))
- nio = iou_manager.create_nio(request.json)
- await vm.adapter_add_nio_binding(int(request.match_info["adapter_number"]), int(request.match_info["port_number"]), nio)
- response.set_status(201)
- response.json(nio)
-
- @Route.put(
- r"/projects/{project_id}/iou/nodes/{node_id}/adapters/{adapter_number:\d+}/ports/{port_number:\d+}/nio",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID",
- "adapter_number": "Network adapter where the nio is located",
- "port_number": "Port where the nio should be added"
- },
- status_codes={
- 201: "NIO updated",
- 400: "Invalid request",
- 404: "Instance doesn't exist"
- },
- description="Update a NIO on an IOU instance",
- input=NIO_SCHEMA,
- output=NIO_SCHEMA)
- async def update_nio(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
- adapter_number = int(request.match_info["adapter_number"])
- port_number = int(request.match_info["port_number"])
- nio = vm.get_nio(adapter_number, port_number)
- if "filters" in request.json:
- nio.filters = request.json["filters"]
- await vm.adapter_update_nio_binding(adapter_number, port_number, nio)
- response.set_status(201)
- response.json(request.json)
-
- @Route.delete(
- r"/projects/{project_id}/iou/nodes/{node_id}/adapters/{adapter_number:\d+}/ports/{port_number:\d+}/nio",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID",
- "adapter_number": "Network adapter where the nio is located",
- "port_number": "Port from where the nio should be removed"
- },
- status_codes={
- 204: "NIO deleted",
- 400: "Invalid request",
- 404: "Instance doesn't exist"
- },
- description="Remove a NIO from a IOU instance")
- async def delete_nio(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
- await vm.adapter_remove_nio_binding(int(request.match_info["adapter_number"]), int(request.match_info["port_number"]))
- response.set_status(204)
-
- @Route.post(
- r"/projects/{project_id}/iou/nodes/{node_id}/adapters/{adapter_number:\d+}/ports/{port_number:\d+}/start_capture",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID",
- "adapter_number": "Adapter to start a packet capture",
- "port_number": "Port on the adapter"
- },
- status_codes={
- 200: "Capture started",
- 400: "Invalid request",
- 404: "Instance doesn't exist",
- 409: "VM not started"
- },
- description="Start a packet capture on an IOU VM instance",
- input=NODE_CAPTURE_SCHEMA)
- async def start_capture(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
- adapter_number = int(request.match_info["adapter_number"])
- port_number = int(request.match_info["port_number"])
- pcap_file_path = os.path.join(vm.project.capture_working_directory(), request.json["capture_file_name"])
- await vm.start_capture(adapter_number, port_number, pcap_file_path, request.json["data_link_type"])
- response.json({"pcap_file_path": str(pcap_file_path)})
-
- @Route.post(
- r"/projects/{project_id}/iou/nodes/{node_id}/adapters/{adapter_number:\d+}/ports/{port_number:\d+}/stop_capture",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID",
- "adapter_number": "Adapter to stop a packet capture",
- "port_number": "Port on the adapter (always 0)"
- },
- status_codes={
- 204: "Capture stopped",
- 400: "Invalid request",
- 404: "Instance doesn't exist",
- 409: "VM not started"
- },
- description="Stop a packet capture on an IOU VM instance")
- async def stop_capture(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
- adapter_number = int(request.match_info["adapter_number"])
- port_number = int(request.match_info["port_number"])
- await vm.stop_capture(adapter_number, port_number)
- response.set_status(204)
-
- @Route.get(
- r"/projects/{project_id}/iou/nodes/{node_id}/adapters/{adapter_number:\d+}/ports/{port_number:\d+}/pcap",
- description="Stream the pcap capture file",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID",
- "adapter_number": "Adapter to steam a packet capture",
- "port_number": "Port on the adapter (always 0)"
- },
- status_codes={
- 200: "File returned",
- 403: "Permission denied",
- 404: "The file doesn't exist"
- })
- async def stream_pcap_file(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
- adapter_number = int(request.match_info["adapter_number"])
- port_number = int(request.match_info["port_number"])
- nio = vm.get_nio(adapter_number, port_number)
- await iou_manager.stream_pcap_file(nio, vm.project.id, request, response)
-
- @Route.get(
- r"/iou/images",
- status_codes={
- 200: "List of IOU images",
- },
- description="Retrieve the list of IOU images",
- output=NODE_LIST_IMAGES_SCHEMA)
- async def list_iou_images(request, response):
-
- iou_manager = IOU.instance()
- images = await iou_manager.list_images()
- response.set_status(200)
- response.json(images)
-
- @Route.post(
- r"/iou/images/{filename:.+}",
- parameters={
- "filename": "Image filename"
- },
- status_codes={
- 204: "Image uploaded",
- },
- raw=True,
- description="Upload an IOU image")
- async def upload_image(request, response):
-
- iou_manager = IOU.instance()
- await iou_manager.write_image(request.match_info["filename"], request.content)
- response.set_status(204)
-
-
- @Route.get(
- r"/iou/images/{filename:.+}",
- parameters={
- "filename": "Image filename"
- },
- status_codes={
- 200: "Image returned",
- },
- raw=True,
- description="Download an IOU image")
- async def download_image(request, response):
- filename = request.match_info["filename"]
-
- iou_manager = IOU.instance()
- image_path = iou_manager.get_abs_image_path(filename)
-
- # Raise error if user try to escape
- if filename[0] == ".":
- raise aiohttp.web.HTTPForbidden()
-
- await response.stream_file(image_path)
-
- @Route.get(
- r"/projects/{project_id}/iou/nodes/{node_id}/console/ws",
- description="WebSocket for console",
- parameters={
- "project_id": "Project UUID",
- "node_id": "Node UUID",
- })
- async def console_ws(request, response):
-
- iou_manager = IOU.instance()
- vm = iou_manager.get_node(request.match_info["node_id"], project_id=request.match_info["project_id"])
- return await vm.start_websocket_console(request)
diff --git a/gns3server/handlers/api/compute/project_handler.py b/gns3server/handlers/api/compute/project_handler.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/gns3server/handlers/api/compute/qemu_handler.py b/gns3server/handlers/api/compute/qemu_handler.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/gns3server/handlers/api/controller/node_handler.py b/gns3server/handlers/api/controller/node_handler.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/gns3server/handlers/api/controller/project_handler.py b/gns3server/handlers/api/controller/project_handler.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/gns3server/handlers/index_handler.py b/gns3server/handlers/index_handler.py
deleted file mode 100644
index bcad4a8e..00000000
--- a/gns3server/handlers/index_handler.py
+++ /dev/null
@@ -1,116 +0,0 @@
-#
-# Copyright (C) 2016 GNS3 Technologies Inc.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see .
-
-import os
-import aiohttp
-
-from gns3server.web.route import Route
-from gns3server.controller import Controller
-from gns3server.compute.port_manager import PortManager
-from gns3server.compute.project_manager import ProjectManager
-from gns3server.version import __version__
-from gns3server.utils.get_resource import get_resource
-
-
-class IndexHandler:
-
- @Route.get(
- r"/",
- description="Home page of the GNS3 server"
- )
- async def index(request, response):
-
- raise aiohttp.web.HTTPFound(location="/static/web-ui/bundled")
-
- @Route.get(
- r"/debug",
- description="Old index page"
- )
- def upload(request, response):
- response.template("index.html")
-
- @Route.get(
- r"/upload",
- description="Placeholder page for the old /upload"
- )
- def upload(request, response):
- response.template("upload.html")
-
- @Route.get(
- r"/compute",
- description="Resources used by the GNS3 computes"
- )
- def compute(request, response):
- response.template("compute.html",
- port_manager=PortManager.instance(),
- project_manager=ProjectManager.instance())
-
- @Route.get(
- r"/controller",
- description="Resources used by the GNS3 controller server"
- )
- def controller(request, response):
- response.template("controller.html",
- controller=Controller.instance())
-
- @Route.get(
- r"/projects/{project_id}",
- description="List of the GNS3 projects"
- )
- def project(request, response):
- controller = Controller.instance()
- response.template("project.html",
- project=controller.get_project(request.match_info["project_id"]))
-
- @Route.get(
- r"/static/web-ui/{filename:.+}",
- parameters={
- "filename": "Static filename"
- },
- status_codes={
- 200: "Static file returned",
- 404: "Static cannot be found",
- },
- raw=True,
- description="Get static resource")
- async def webui(request, response):
- filename = request.match_info["filename"]
- filename = os.path.normpath(filename).strip("/")
- filename = os.path.join('static', 'web-ui', filename)
-
- # Raise error if user try to escape
- if filename[0] == "." or '/../' in filename:
- raise aiohttp.web.HTTPForbidden()
-
- static = get_resource(filename)
-
- if static is None or not os.path.exists(static):
- static = get_resource(os.path.join('static', 'web-ui', 'index.html'))
-
- # guesstype prefers to have text/html type than application/javascript
- # which results with warnings in Firefox 66 on Windows
- # Ref. gns3-server#1559
- _, ext = os.path.splitext(static)
- mimetype = ext == '.js' and 'application/javascript' or None
-
- await response.stream_file(static, status=200, set_content_type=mimetype)
-
- @Route.get(
- r"/v1/version",
- description="Old 1.0 API"
- )
- def get_v1(request, response):
- response.json({"version": __version__})
diff --git a/tests/api/routes/compute/test_dynamips_nodes.py b/tests/api/routes/compute/test_dynamips_nodes.py
index 14473d56..8c8bebc2 100644
--- a/tests/api/routes/compute/test_dynamips_nodes.py
+++ b/tests/api/routes/compute/test_dynamips_nodes.py
@@ -186,6 +186,13 @@ async def test_upload_image(app: FastAPI, client: AsyncClient, images_dir: str)
assert checksum == "033bd94b1168d7e4f0d644c3c95e35bf"
+async def test_download_image_escape(app: FastAPI, client: AsyncClient, tmpdir) -> None:
+
+ file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
+ response = await client.get(app.url_path_for("download_dynamips_image", filename=file_path))
+ assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
@pytest.mark.skipif(not sys.platform.startswith("win") and os.getuid() == 0, reason="Root can delete any image")
async def test_upload_image_permission_denied(app: FastAPI, client: AsyncClient, images_dir: str) -> None:
diff --git a/tests/api/routes/compute/test_iou_nodes.py b/tests/api/routes/compute/test_iou_nodes.py
index 5bd893a5..ddd7bf74 100644
--- a/tests/api/routes/compute/test_iou_nodes.py
+++ b/tests/api/routes/compute/test_iou_nodes.py
@@ -401,10 +401,10 @@ async def test_images(app: FastAPI, client: AsyncClient, fake_iou_bin: str) -> N
assert response.json() == [{"filename": "iou.bin", "path": "iou.bin", "filesize": 7, "md5sum": "e573e8f5c93c6c00783f20c7a170aa6c"}]
-async def test_image_vm(app: FastAPI, client: AsyncClient, tmpdir) -> None:
+async def test_upload_image(app: FastAPI, client: AsyncClient, tmpdir) -> None:
with patch("gns3server.compute.IOU.get_images_directory", return_value=str(tmpdir)):
- response = await client.post(app.url_path_for("download_iou_image", filename="test2"), content=b"TEST")
+ response = await client.post(app.url_path_for("upload_iou_image", filename="test2"), content=b"TEST")
assert response.status_code == status.HTTP_204_NO_CONTENT
with open(str(tmpdir / "test2")) as f:
@@ -415,6 +415,13 @@ async def test_image_vm(app: FastAPI, client: AsyncClient, tmpdir) -> None:
assert checksum == "033bd94b1168d7e4f0d644c3c95e35bf"
+async def test_download_image_escape(app: FastAPI, client: AsyncClient, tmpdir) -> None:
+
+ file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
+ response = await client.get(app.url_path_for("download_iou_image", filename=file_path))
+ assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
async def test_iou_duplicate(app: FastAPI, client: AsyncClient, vm: dict, base_params: dict) -> None:
# create destination node first
diff --git a/tests/api/routes/compute/test_qemu_nodes.py b/tests/api/routes/compute/test_qemu_nodes.py
index 11596239..14084526 100644
--- a/tests/api/routes/compute/test_qemu_nodes.py
+++ b/tests/api/routes/compute/test_qemu_nodes.py
@@ -396,6 +396,13 @@ async def test_upload_image_forbiden_location(app: FastAPI, client: AsyncClient,
assert response.status_code == status.HTTP_403_FORBIDDEN
+async def test_download_image_escape(app: FastAPI, client: AsyncClient, tmpdir) -> None:
+
+ file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
+ response = await client.get(app.url_path_for("download_qemu_image", filename=file_path))
+ assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
@pytest.mark.skipif(not sys.platform.startswith("win") and os.getuid() == 0, reason="Root can delete any image")
async def test_upload_image_permission_denied(app: FastAPI, client: AsyncClient, images_dir: str) -> None:
diff --git a/tests/api/routes/controller/test_nodes.py b/tests/api/routes/controller/test_nodes.py
index 85efff77..1f6820f9 100644
--- a/tests/api/routes/controller/test_nodes.py
+++ b/tests/api/routes/controller/test_nodes.py
@@ -240,6 +240,7 @@ async def test_get_file(app: FastAPI, client: AsyncClient, project: Project, com
response = MagicMock()
response.body = b"world"
+ response.status = status.HTTP_200_OK
compute.http_query = AsyncioMagicMock(return_value=response)
response = await client.get(app.url_path_for("get_file", project_id=project.id, node_id=node.id, file_path="hello"))
diff --git a/tests/handlers/api/compute/test_project.py b/tests/handlers/api/compute/test_project.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/tests/handlers/api/compute/test_qemu.py b/tests/handlers/api/compute/test_qemu.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/tests/handlers/api/controller/test_node.py b/tests/handlers/api/controller/test_node.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/tests/handlers/api/controller/test_project.py b/tests/handlers/api/controller/test_project.py
deleted file mode 100644
index e69de29b..00000000