[feature] blobs path validation

Check if user and blob_id are valid strings, then check if the resulting path is a subdirectory of blobs configured path. - Related: #8800
author: Victor Shyba <victor1984@riseup.net> 2017-05-01 06:21:01 -0300
committer: Victor Shyba <victor1984@riseup.net> 2017-05-01 06:29:00 -0300
commit: 0c22a7047553afdc1ed8a33bea17ccbe842e5e6e (patch)
tree: 74c98bc002bfce146771b8f9c522cbf9151dfa5a /testing
parent: 313cc19603d787cf40ffe6e5a1feeed2b6226a39 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/testing/tests/blobs/test_fs_backend.py b/testing/tests/blobs/test_fs_backend.py
index 39ee0028..0d7e9789 100644
--- a/testing/tests/blobs/test_fs_backend.py
+++ b/testing/tests/blobs/test_fs_backend.py
@@ -97,3 +97,11 @@ class FilesystemBackendTestCase(unittest.TestCase):
         walk_mock.return_value = [(_, _, ['blob_0']), (_, _, ['blob_1'])]
         result = json.loads(backend.list_blobs('user', DummyRequest([''])))
         self.assertEquals(result, ['blob_0', 'blob_1'])
+
+    @pytest.mark.usefixtures("method_tmpdir")
+    def test_path_validation_for_subdirectories(self):
+        blobs_path = self.tempdir
+        backend = _blobs.FilesystemBlobsBackend(blobs_path)
+        self.assertFalse(backend._valid_subdir('/'))
+        self.assertFalse(backend._valid_subdir(blobs_path + '../../../../../'))
+        self.assertTrue(backend._valid_subdir(os.path.join(blobs_path, 'x')))
author	Victor Shyba <victor1984@riseup.net>	2017-05-01 06:21:01 -0300
committer	Victor Shyba <victor1984@riseup.net>	2017-05-01 06:29:00 -0300
commit	0c22a7047553afdc1ed8a33bea17ccbe842e5e6e (patch)
tree	74c98bc002bfce146771b8f9c522cbf9151dfa5a /testing
parent	313cc19603d787cf40ffe6e5a1feeed2b6226a39 (diff)