Skip to content

Commit

Permalink
test: Add tests to tests/test_webservice.py for directory traversal
Browse files Browse the repository at this point in the history
  • Loading branch information
@jpmckinney
jpmckinney committed Jul 18, 2024
1 parent 52b3df3 commit 9e4eccd
Showing 1 changed file with 60 additions and 0 deletions.
60 changes: 60 additions & 0 deletions tests/test_webservice.py
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
from pathlib import Path
from unittest import mock

import pytest

from scrapyd.exceptions import DirectoryTraversalError, RunnerError
from scrapyd.interfaces import IEggStorage
from scrapyd.jobstorage import Job

Expand Down Expand Up @@ -154,3 +157,60 @@ def test_schedule(self, txrequest, site_with_egg):
assert site_with_egg.scheduler.calls == [['quotesbot', 'toscrape-css']]
assert content['status'] == 'ok'
assert 'jobid' in content

@pytest.mark.parametrize('endpoint,attach_egg,method', [
(b'addversion.json', True, 'render_POST'),
(b'listversions.json', False, 'render_GET'),
(b'delproject.json', False, 'render_POST'),
(b'delversion.json', False, 'render_POST'),
])
def test_bad_project_names(self, txrequest, site_no_egg, endpoint, attach_egg, method):
txrequest.args = {
b'project': [b'../p'],
b'version': [b'0.1'],
}

if attach_egg:
egg_path = Path(__file__).absolute().parent / "quotesbot.egg"
with open(egg_path, 'rb') as f:
txrequest.args[b'egg'] = [f.read()]

with pytest.raises(DirectoryTraversalError) as exc:
getattr(site_no_egg.children[endpoint], method)(txrequest)

assert str(exc.value) == "../p"

storage = site_no_egg.app.getComponent(IEggStorage)
version, egg = storage.get('quotesbot')
if egg:
egg.close()

assert version is None

@pytest.mark.parametrize('endpoint,attach_egg,method', [
(b'schedule.json', False, 'render_POST'),
(b'listspiders.json', False, 'render_GET'),
])
def test_bad_project_names_runner(self, txrequest, site_no_egg, endpoint, attach_egg, method):
txrequest.args = {
b'project': [b'../p'],
b'spider': [b's'],
}

if attach_egg:
egg_path = Path(__file__).absolute().parent / "quotesbot.egg"
with open(egg_path, 'rb') as f:
txrequest.args[b'egg'] = [f.read()]

with pytest.raises(RunnerError) as exc:
getattr(site_no_egg.children[endpoint], method)(txrequest)

assert str(exc.value).startswith("Traceback (most recent call last):"), str(exc.value)
assert str(exc.value).endswith("scrapyd.exceptions.DirectoryTraversalError: ../p\n"), str(exc.value)

storage = site_no_egg.app.getComponent(IEggStorage)
version, egg = storage.get('quotesbot')
if egg:
egg.close()

assert version is None

0 comments on commit 9e4eccd

Please sign in to comment.