Fixing file:// file pickup - for change detection of local files (#2505)

pull/2511/head
dgtlmoon 5 months ago committed by GitHub
parent c0b6c8581e
commit e756e0af5e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -4,6 +4,7 @@ import os
import chardet import chardet
import requests import requests
from changedetectionio import strtobool
from changedetectionio.content_fetchers.exceptions import BrowserStepsInUnsupportedFetcher, EmptyReply, Non200ErrorCodeReceived from changedetectionio.content_fetchers.exceptions import BrowserStepsInUnsupportedFetcher, EmptyReply, Non200ErrorCodeReceived
from changedetectionio.content_fetchers.base import Fetcher from changedetectionio.content_fetchers.base import Fetcher
@ -45,7 +46,13 @@ class fetcher(Fetcher):
if self.system_https_proxy: if self.system_https_proxy:
proxies['https'] = self.system_https_proxy proxies['https'] = self.system_https_proxy
r = requests.request(method=request_method, session = requests.Session()
if strtobool(os.getenv('ALLOW_FILE_URI', 'false')) and url.startswith('file://'):
from requests_file import FileAdapter
session.mount('file://', FileAdapter())
r = session.request(method=request_method,
data=request_body, data=request_body,
url=url, url=url,
headers=request_headers, headers=request_headers,

@ -36,3 +36,7 @@ pytest tests/test_notification.py
pytest tests/test_backend.py pytest tests/test_backend.py
pytest tests/test_rss.py pytest tests/test_rss.py
pytest tests/test_unique_lines.py pytest tests/test_unique_lines.py
# Check file:// will pickup a file when enabled
echo "Hello world" > /tmp/test-file.txt
ALLOW_FILE_URI=yes pytest tests/test_security.py

@ -1,7 +1,12 @@
import os
from flask import url_for from flask import url_for
from .util import set_original_response, set_modified_response, live_server_setup, wait_for_all_checks from .util import set_original_response, set_modified_response, live_server_setup, wait_for_all_checks
import time import time
from .. import strtobool
def test_setup(client, live_server, measure_memory_usage): def test_setup(client, live_server, measure_memory_usage):
live_server_setup(live_server) live_server_setup(live_server)
@ -55,16 +60,32 @@ def test_bad_access(client, live_server, measure_memory_usage):
assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
# file:// is permitted by default, but it will be caught by ALLOW_FILE_URI
def test_file_access(client, live_server, measure_memory_usage):
#live_server_setup(live_server)
test_file_path = "/tmp/test-file.txt"
# file:// is permitted by default, but it will be caught by ALLOW_FILE_URI
client.post( client.post(
url_for("form_quick_watch_add"), url_for("form_quick_watch_add"),
data={"url": 'file:///tasty/disk/drive', "tags": ''}, data={"url": f"file://{test_file_path}", "tags": ''},
follow_redirects=True follow_redirects=True
) )
wait_for_all_checks(client) wait_for_all_checks(client)
res = client.get(url_for("index")) res = client.get(url_for("index"))
# If it is enabled at test time
if strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
res = client.get(
url_for("preview_page", uuid="first"),
follow_redirects=True
)
# Should see something (this file added by run_basic_tests.sh)
assert b"Hello world" in res.data
else:
# Default should be here
assert b'file:// type access is denied for security reasons.' in res.data assert b'file:// type access is denied for security reasons.' in res.data
def test_xss(client, live_server, measure_memory_usage): def test_xss(client, live_server, measure_memory_usage):

@ -22,6 +22,7 @@ validators~=0.21
# >= 2.26 also adds Brotli support if brotli is installed # >= 2.26 also adds Brotli support if brotli is installed
brotli~=1.0 brotli~=1.0
requests[socks] requests[socks]
requests-file
urllib3==1.26.19 urllib3==1.26.19
chardet>2.3.0 chardet>2.3.0

Loading…
Cancel
Save