rpms / python2-pip

Clone
Source Code
GIT

Blame SOURCES/pip-directory-traversal-security-issue-tests.patch

c8-beta-stream-2.7 c8-containeronly-stream-flatpak c8-stream-2.7 c8s-stream-2.7
  1.   c8-stream-2.7
  2.   SOURCES
  3.   pip-directory-traversal-security-issue-tests.patch
Blob History Raw
22e157 
From 7917dbda14ef64a5e7fdea48383a266577484ac8 Mon Sep 17 00:00:00 2001
22e157 
From: Tomas Orsava <torsava@redhat.com>
22e157 
Date: Wed, 19 Aug 2020 12:51:16 +0200
22e157 
Subject: [PATCH 2/2] FIX #6413 pip install <url> allow directory traversal
22e157 
 (tests)
22e157
22e157 
---
22e157 
 tests/unit/test_download.py | 85 +++++++++++++++++++++++++++++++++++++
22e157 
 1 file changed, 85 insertions(+)
22e157
22e157 
diff --git a/tests/unit/test_download.py b/tests/unit/test_download.py
22e157 
index ee4b11c..15f99ec 100644
22e157 
--- a/tests/unit/test_download.py
22e157 
+++ b/tests/unit/test_download.py
22e157 
@@ -1,5 +1,6 @@
22e157 
 import hashlib
22e157 
 import os
22e157 
+import sys
22e157 
 from io import BytesIO
22e157 
 from shutil import rmtree, copy
22e157 
 from tempfile import mkdtemp
22e157 
@@ -13,6 +14,7 @@ import pip
22e157 
 from pip.exceptions import HashMismatch
22e157 
 from pip.download import (
22e157 
     PipSession, SafeFileCache, path_to_url, unpack_http_url, url_to_path,
22e157 
+    _download_http_url, parse_content_disposition, sanitize_content_filename,
22e157 
     unpack_file_url,
22e157 
 )
22e157 
 from pip.index import Link
22e157 
@@ -123,6 +125,89 @@ def test_unpack_http_url_bad_downloaded_checksum(mock_unpack_file):
22e157 
         rmtree(download_dir)
22e157
22e157
22e157 
+@pytest.mark.parametrize("filename, expected", [
22e157 
+    ('dir/file', 'file'),
22e157 
+    ('../file', 'file'),
22e157 
+    ('../../file', 'file'),
22e157 
+    ('../', ''),
22e157 
+    ('../..', '..'),
22e157 
+    ('/', ''),
22e157 
+])
22e157 
+def test_sanitize_content_filename(filename, expected):
22e157 
+    """
22e157 
+    Test inputs where the result is the same for Windows and non-Windows.
22e157 
+    """
22e157 
+    assert sanitize_content_filename(filename) == expected
22e157 
+
22e157 
+
22e157 
+@pytest.mark.parametrize("filename, win_expected, non_win_expected", [
22e157 
+    ('dir\\file', 'file', 'dir\\file'),
22e157 
+    ('..\\file', 'file', '..\\file'),
22e157 
+    ('..\\..\\file', 'file', '..\\..\\file'),
22e157 
+    ('..\\', '', '..\\'),
22e157 
+    ('..\\..', '..', '..\\..'),
22e157 
+    ('\\', '', '\\'),
22e157 
+])
22e157 
+def test_sanitize_content_filename__platform_dependent(
22e157 
+    filename,
22e157 
+    win_expected,
22e157 
+    non_win_expected
22e157 
+):
22e157 
+    """
22e157 
+    Test inputs where the result is different for Windows and non-Windows.
22e157 
+    """
22e157 
+    if sys.platform == 'win32':
22e157 
+        expected = win_expected
22e157 
+    else:
22e157 
+        expected = non_win_expected
22e157 
+    assert sanitize_content_filename(filename) == expected
22e157 
+
22e157 
+
22e157 
+@pytest.mark.parametrize("content_disposition, default_filename, expected", [
22e157 
+    ('attachment;filename="../file"', 'df', 'file'),
22e157 
+])
22e157 
+def test_parse_content_disposition(
22e157 
+    content_disposition,
22e157 
+    default_filename,
22e157 
+    expected
22e157 
+):
22e157 
+    actual = parse_content_disposition(content_disposition, default_filename)
22e157 
+    assert actual == expected
22e157 
+
22e157 
+
22e157 
+def test_download_http_url__no_directory_traversal(tmpdir):
22e157 
+    """
22e157 
+    Test that directory traversal doesn't happen on download when the
22e157 
+    Content-Disposition header contains a filename with a ".." path part.
22e157 
+    """
22e157 
+    mock_url = 'http://www.example.com/whatever.tgz'
22e157 
+    contents = b'downloaded'
22e157 
+    link = Link(mock_url)
22e157 
+
22e157 
+    session = Mock()
22e157 
+    resp = MockResponse(contents)
22e157 
+    resp.url = mock_url
22e157 
+    resp.headers = {
22e157 
+        # Set the content-type to a random value to prevent
22e157 
+        # mimetypes.guess_extension from guessing the extension.
22e157 
+        'content-type': 'random',
22e157 
+        'content-disposition': 'attachment;filename="../out_dir_file"'
22e157 
+    }
22e157 
+    session.get.return_value = resp
22e157 
+
22e157 
+    download_dir = tmpdir.join('download')
22e157 
+    os.mkdir(download_dir)
22e157 
+    file_path, content_type = _download_http_url(
22e157 
+        link,
22e157 
+        session,
22e157 
+        download_dir,
22e157 
+        hashes=None,
22e157 
+    )
22e157 
+    # The file should be downloaded to download_dir.
22e157 
+    actual = os.listdir(download_dir)
22e157 
+    assert actual == ['out_dir_file']
22e157 
+
22e157 
+
22e157 
 @pytest.mark.skipif("sys.platform == 'win32'")
22e157 
 def test_path_to_url_unix():
22e157 
     assert path_to_url('/tmp/file') == 'file:///tmp/file'
22e157 
--
22e157 
2.25.4
22e157

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation