From 0c22a7047553afdc1ed8a33bea17ccbe842e5e6e Mon Sep 17 00:00:00 2001
From: Victor Shyba <victor1984@riseup.net>
Date: Mon, 1 May 2017 06:21:01 -0300
Subject: [feature] blobs path validation

Check if user and blob_id are valid strings, then check if the resulting
path is a subdirectory of blobs configured path.

- Related: #8800
---
 testing/tests/blobs/test_fs_backend.py | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'testing/tests')

diff --git a/testing/tests/blobs/test_fs_backend.py b/testing/tests/blobs/test_fs_backend.py
index 39ee0028..0d7e9789 100644
--- a/testing/tests/blobs/test_fs_backend.py
+++ b/testing/tests/blobs/test_fs_backend.py
@@ -97,3 +97,11 @@ class FilesystemBackendTestCase(unittest.TestCase):
         walk_mock.return_value = [(_, _, ['blob_0']), (_, _, ['blob_1'])]
         result = json.loads(backend.list_blobs('user', DummyRequest([''])))
         self.assertEquals(result, ['blob_0', 'blob_1'])
+
+    @pytest.mark.usefixtures("method_tmpdir")
+    def test_path_validation_for_subdirectories(self):
+        blobs_path = self.tempdir
+        backend = _blobs.FilesystemBlobsBackend(blobs_path)
+        self.assertFalse(backend._valid_subdir('/'))
+        self.assertFalse(backend._valid_subdir(blobs_path + '../../../../../'))
+        self.assertTrue(backend._valid_subdir(os.path.join(blobs_path, 'x')))
-- 
cgit v1.2.3