From 354d69a7b397571e3845de13ecabbfeb9d7f100b Mon Sep 17 00:00:00 2001 From: Tres Seaver Date: Mon, 21 Aug 2023 14:43:12 -0400 Subject: fix: reject NUL character as path element See: https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8 --- tests/fixtures/index.html | 1 + tests/test_static.py | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 tests/fixtures/index.html (limited to 'tests') diff --git a/tests/fixtures/index.html b/tests/fixtures/index.html new file mode 100644 index 000000000..a37df5790 --- /dev/null +++ b/tests/fixtures/index.html @@ -0,0 +1 @@ +

DON'T GO HERE

diff --git a/tests/test_static.py b/tests/test_static.py index af487fa24..97978f2a4 100644 --- a/tests/test_static.py +++ b/tests/test_static.py @@ -104,6 +104,19 @@ class Test_static_view_use_subpath_False(unittest.TestCase): self.assertRaises(HTTPNotFound, inst, context, request) + def test_oob_nul_char(self): + import os + + inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static') + dds = '..\x00/' + request = self._makeRequest( + {'PATH_INFO': f'/{dds}'} + ) + context = DummyContext() + from pyramid.httpexceptions import HTTPNotFound + + self.assertRaises(HTTPNotFound, inst, context, request) + def test_resource_doesnt_exist(self): inst = self._makeOne('tests:fixtures/static') request = self._makeRequest({'PATH_INFO': '/notthere'}) -- cgit v1.2.3 From d1dc3789e30c5ffa3e75df39033b9bd9752aebd5 Mon Sep 17 00:00:00 2001 From: Tres Seaver Date: Mon, 21 Aug 2023 14:50:34 -0400 Subject: chore: appease lint, better varname --- tests/test_static.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'tests') diff --git a/tests/test_static.py b/tests/test_static.py index 97978f2a4..5b11d89a8 100644 --- a/tests/test_static.py +++ b/tests/test_static.py @@ -108,10 +108,8 @@ class Test_static_view_use_subpath_False(unittest.TestCase): import os inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static') - dds = '..\x00/' - request = self._makeRequest( - {'PATH_INFO': f'/{dds}'} - ) + super_w_null = '..\x00/' + request = self._makeRequest({'PATH_INFO': f'/{super_w_null}'}) context = DummyContext() from pyramid.httpexceptions import HTTPNotFound -- cgit v1.2.3 From 2af309223d6050feff3f85701a93166f3d4b5fee Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Mon, 21 Aug 2023 18:06:29 -0400 Subject: add integration tests --- tests/pkgs/static_abspath_nulbyte/__init__.py | 10 ++++++++++ tests/pkgs/static_assetspec_nulbyte/__init__.py | 2 ++ tests/test_integration.py | 7 +++++++ 3 files changed, 19 insertions(+) create mode 100644 tests/pkgs/static_abspath_nulbyte/__init__.py create mode 100644 tests/pkgs/static_assetspec_nulbyte/__init__.py (limited to 'tests') diff --git a/tests/pkgs/static_abspath_nulbyte/__init__.py b/tests/pkgs/static_abspath_nulbyte/__init__.py new file mode 100644 index 000000000..a946fcdf9 --- /dev/null +++ b/tests/pkgs/static_abspath_nulbyte/__init__.py @@ -0,0 +1,10 @@ +import os + + +def includeme(config): + here = here = os.path.dirname(__file__) + static + static = os.path.normpath( + os.path.join(here, '..', '..', 'fixtures', 'statc') + ) + config.add_static_view('/', static) diff --git a/tests/pkgs/static_assetspec_nulbyte/__init__.py b/tests/pkgs/static_assetspec_nulbyte/__init__.py new file mode 100644 index 000000000..49cebab3e --- /dev/null +++ b/tests/pkgs/static_assetspec_nulbyte/__init__.py @@ -0,0 +1,2 @@ +def includeme(config): + config.add_static_view('/', 'tests:fixtures/static') diff --git a/tests/test_integration.py b/tests/test_integration.py index 0b55872d2..184368214 100644 --- a/tests/test_integration.py +++ b/tests/test_integration.py @@ -220,10 +220,17 @@ class TestEventOnlySubscribers(IntegrationBase, unittest.TestCase): class TestStaticAppUsingAbsPath(StaticAppBase, unittest.TestCase): package = 'tests.pkgs.static_abspath' + def test_nulbyte_chroot(self): + super_w_null = '/static/..\x00/' + res = self.testapp.get(f'/{super_w_null}', status=404) + class TestStaticAppUsingAssetSpec(StaticAppBase, unittest.TestCase): package = 'tests.pkgs.static_assetspec' + def test_nulbyte_chroot(self): + super_w_null = 'static/..\x00/' + res = self.testapp.get(f'/{super_w_null}', status=404) class TestStaticAppWithEncodings(IntegrationBase, unittest.TestCase): package = 'tests.pkgs.static_encodings' -- cgit v1.2.3 From d4a821c7b134b983e72e653b17b5a25507552620 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Mon, 21 Aug 2023 18:27:04 -0400 Subject: re-add integration tests (bad merge) and add integration test for nulbyte check when asset spec override exists --- tests/pkgs/static_abspath_nulbyte/__init__.py | 3 +-- tests/pkgs/static_assetspec_nulbyte/__init__.py | 3 +++ tests/test_integration.py | 22 +++++++++++++++++----- 3 files changed, 21 insertions(+), 7 deletions(-) (limited to 'tests') diff --git a/tests/pkgs/static_abspath_nulbyte/__init__.py b/tests/pkgs/static_abspath_nulbyte/__init__.py index a946fcdf9..2248522e9 100644 --- a/tests/pkgs/static_abspath_nulbyte/__init__.py +++ b/tests/pkgs/static_abspath_nulbyte/__init__.py @@ -3,8 +3,7 @@ import os def includeme(config): here = here = os.path.dirname(__file__) - static static = os.path.normpath( - os.path.join(here, '..', '..', 'fixtures', 'statc') + os.path.join(here, '..', '..', 'fixtures', 'static') ) config.add_static_view('/', static) diff --git a/tests/pkgs/static_assetspec_nulbyte/__init__.py b/tests/pkgs/static_assetspec_nulbyte/__init__.py index 49cebab3e..5ac6e8cf5 100644 --- a/tests/pkgs/static_assetspec_nulbyte/__init__.py +++ b/tests/pkgs/static_assetspec_nulbyte/__init__.py @@ -1,2 +1,5 @@ def includeme(config): config.add_static_view('/', 'tests:fixtures/static') + config.add_static_view('/sub', 'tests:fixtures/static/subdir') + config.override_asset('tests:fixtures/static/subdir', + 'tests:fixtures/static') diff --git a/tests/test_integration.py b/tests/test_integration.py index 184368214..d14ee846e 100644 --- a/tests/test_integration.py +++ b/tests/test_integration.py @@ -220,18 +220,30 @@ class TestEventOnlySubscribers(IntegrationBase, unittest.TestCase): class TestStaticAppUsingAbsPath(StaticAppBase, unittest.TestCase): package = 'tests.pkgs.static_abspath' - def test_nulbyte_chroot(self): - super_w_null = '/static/..\x00/' - res = self.testapp.get(f'/{super_w_null}', status=404) - class TestStaticAppUsingAssetSpec(StaticAppBase, unittest.TestCase): package = 'tests.pkgs.static_assetspec' + +class TestStaticAppUsingAbsPathNulByte(IntegrationBase, unittest.TestCase): + package = 'tests.pkgs.static_abspath_nulbyte' + def test_nulbyte_chroot(self): - super_w_null = 'static/..\x00/' + super_w_null = '..\x00/' res = self.testapp.get(f'/{super_w_null}', status=404) +class TestStaticAppUsingAssetSpecNulByte(IntegrationBase, unittest.TestCase): + package = 'tests.pkgs.static_assetspec_nulbyte' + + def test_nulbyte_chroot(self): + super_w_null = '..\x00/' + res = self.testapp.get(f'/{super_w_null}', status=404) + + def test_nulbyte_chroot_assetspec_override(self): + super_w_null = '..\x00/' + res = self.testapp.get(f'/sub/{super_w_null}', status=404) + + class TestStaticAppWithEncodings(IntegrationBase, unittest.TestCase): package = 'tests.pkgs.static_encodings' -- cgit v1.2.3 From bf998f3b0064a9c342f114120d069ec8251e2ff8 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Mon, 21 Aug 2023 18:43:33 -0400 Subject: appease linter --- tests/test_integration.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'tests') diff --git a/tests/test_integration.py b/tests/test_integration.py index d14ee846e..63a7088e9 100644 --- a/tests/test_integration.py +++ b/tests/test_integration.py @@ -230,18 +230,19 @@ class TestStaticAppUsingAbsPathNulByte(IntegrationBase, unittest.TestCase): def test_nulbyte_chroot(self): super_w_null = '..\x00/' - res = self.testapp.get(f'/{super_w_null}', status=404) + self.testapp.get(f'/{super_w_null}', status=404) + class TestStaticAppUsingAssetSpecNulByte(IntegrationBase, unittest.TestCase): package = 'tests.pkgs.static_assetspec_nulbyte' def test_nulbyte_chroot(self): super_w_null = '..\x00/' - res = self.testapp.get(f'/{super_w_null}', status=404) + self.testapp.get(f'/{super_w_null}', status=404) def test_nulbyte_chroot_assetspec_override(self): super_w_null = '..\x00/' - res = self.testapp.get(f'/sub/{super_w_null}', status=404) + self.testapp.get(f'/sub/{super_w_null}', status=404) class TestStaticAppWithEncodings(IntegrationBase, unittest.TestCase): -- cgit v1.2.3 From fe4de1da370a373a788116727849bab585edaf02 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Mon, 21 Aug 2023 18:44:48 -0400 Subject: appease linter --- tests/pkgs/static_assetspec_nulbyte/__init__.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'tests') diff --git a/tests/pkgs/static_assetspec_nulbyte/__init__.py b/tests/pkgs/static_assetspec_nulbyte/__init__.py index 5ac6e8cf5..d44b04e93 100644 --- a/tests/pkgs/static_assetspec_nulbyte/__init__.py +++ b/tests/pkgs/static_assetspec_nulbyte/__init__.py @@ -1,5 +1,6 @@ def includeme(config): config.add_static_view('/', 'tests:fixtures/static') config.add_static_view('/sub', 'tests:fixtures/static/subdir') - config.override_asset('tests:fixtures/static/subdir', - 'tests:fixtures/static') + config.override_asset( + 'tests:fixtures/static/subdir', 'tests:fixtures/static' + ) -- cgit v1.2.3