|
|
@ -1,9 +1,7 @@
|
|
|
|
import os
|
|
|
|
import os
|
|
|
|
|
|
|
|
|
|
|
|
from flask import url_for
|
|
|
|
from flask import url_for
|
|
|
|
from .util import set_original_response, set_modified_response, live_server_setup, wait_for_all_checks
|
|
|
|
from .util import live_server_setup, wait_for_all_checks
|
|
|
|
import time
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
from .. import strtobool
|
|
|
|
from .. import strtobool
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -61,15 +59,11 @@ def test_bad_access(client, live_server, measure_memory_usage):
|
|
|
|
assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
|
|
|
|
assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_file_slashslash_access(client, live_server, measure_memory_usage):
|
|
|
|
def _runner_test_various_file_slash(client, file_uri):
|
|
|
|
#live_server_setup(live_server)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
test_file_path = os.path.abspath(__file__)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# file:// is permitted by default, but it will be caught by ALLOW_FILE_URI
|
|
|
|
|
|
|
|
client.post(
|
|
|
|
client.post(
|
|
|
|
url_for("form_quick_watch_add"),
|
|
|
|
url_for("form_quick_watch_add"),
|
|
|
|
data={"url": f"file://{test_file_path}", "tags": ''},
|
|
|
|
data={"url": file_uri, "tags": ''},
|
|
|
|
follow_redirects=True
|
|
|
|
follow_redirects=True
|
|
|
|
)
|
|
|
|
)
|
|
|
|
wait_for_all_checks(client)
|
|
|
|
wait_for_all_checks(client)
|
|
|
@ -77,38 +71,25 @@ def test_file_slashslash_access(client, live_server, measure_memory_usage):
|
|
|
|
|
|
|
|
|
|
|
|
# If it is enabled at test time
|
|
|
|
# If it is enabled at test time
|
|
|
|
if strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
|
|
|
|
if strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
|
|
|
|
res = client.get(
|
|
|
|
# So it should permit it, but it should fall back to the 'requests' library giving an error
|
|
|
|
url_for("preview_page", uuid="first"),
|
|
|
|
# (but means it gets passed to playwright etc)
|
|
|
|
follow_redirects=True
|
|
|
|
assert b"URLs with hostname components are not permitted" in res.data
|
|
|
|
)
|
|
|
|
assert b"_runner_test_various_file_slash" in res.data # Can read this file OK
|
|
|
|
|
|
|
|
|
|
|
|
assert b"test_file_slashslash_access" in res.data
|
|
|
|
|
|
|
|
else:
|
|
|
|
else:
|
|
|
|
# Default should be here
|
|
|
|
# Default should be here
|
|
|
|
assert b'file:// type access is denied for security reasons.' in res.data
|
|
|
|
assert b'file:// type access is denied for security reasons.' in res.data
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
res = client.get(url_for("form_delete", uuid="all"), follow_redirects=True)
|
|
|
|
|
|
|
|
assert b'Deleted' in res.data
|
|
|
|
|
|
|
|
|
|
|
|
def test_file_slash_access(client, live_server, measure_memory_usage):
|
|
|
|
def test_file_slash_access(client, live_server, measure_memory_usage):
|
|
|
|
#live_server_setup(live_server)
|
|
|
|
#live_server_setup(live_server)
|
|
|
|
|
|
|
|
# file: is permitted by default, but it will be caught by ALLOW_FILE_URI
|
|
|
|
|
|
|
|
|
|
|
|
test_file_path = os.path.abspath(__file__)
|
|
|
|
test_file_path = os.path.abspath(__file__)
|
|
|
|
|
|
|
|
_runner_test_various_file_slash(client, file_uri=f"file://{test_file_path}")
|
|
|
|
# file:// is permitted by default, but it will be caught by ALLOW_FILE_URI
|
|
|
|
_runner_test_various_file_slash(client, file_uri=f"file:/{test_file_path}")
|
|
|
|
client.post(
|
|
|
|
_runner_test_various_file_slash(client, file_uri=f"file:{test_file_path}") # CVE-2024-56509
|
|
|
|
url_for("form_quick_watch_add"),
|
|
|
|
|
|
|
|
data={"url": f"file:/{test_file_path}", "tags": ''},
|
|
|
|
|
|
|
|
follow_redirects=True
|
|
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
wait_for_all_checks(client)
|
|
|
|
|
|
|
|
res = client.get(url_for("index"))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# If it is enabled at test time
|
|
|
|
|
|
|
|
if strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
|
|
|
|
|
|
|
|
# So it should permit it, but it should fall back to the 'requests' library giving an error
|
|
|
|
|
|
|
|
# (but means it gets passed to playwright etc)
|
|
|
|
|
|
|
|
assert b"URLs with hostname components are not permitted" in res.data
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
|
|
|
# Default should be here
|
|
|
|
|
|
|
|
assert b'file:// type access is denied for security reasons.' in res.data
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_xss(client, live_server, measure_memory_usage):
|
|
|
|
def test_xss(client, live_server, measure_memory_usage):
|
|
|
|
#live_server_setup(live_server)
|
|
|
|
#live_server_setup(live_server)
|
|
|
|