MCPcopy
hub / github.com/django/django / test_dangerous_file_names

Method test_dangerous_file_names

tests/file_uploads/tests.py:379–417  ·  view source on GitHub ↗

Uploaded file names should be sanitized before ever reaching the view.

(self)

Source from the content-addressed store, hash-verified

377 self.assertEqual(received["file"], "non-printable_chars.txt")
378
379 def test_dangerous_file_names(self):
380 """
381 Uploaded file names should be sanitized before ever reaching the view.
382 """
383 # This test simulates possible directory traversal attacks by a
384 # malicious uploader We have to do some monkeybusiness here to
385 # construct a malicious payload with an invalid file name (containing
386 # os.sep or os.pardir). This similar to what an attacker would need to
387 # do when trying such an attack.
388 payload = client.FakePayload()
389 for i, name in enumerate(CANDIDATE_TRAVERSAL_FILE_NAMES):
390 payload.write(
391 "\r\n".join(
392 [
393 "--" + client.BOUNDARY,
394 'Content-Disposition: form-data; name="file%s"; filename="%s"'
395 % (i, name),
396 "Content-Type: application/octet-stream",
397 "",
398 "You got pwnd.\r\n",
399 ]
400 )
401 )
402 payload.write("\r\n--" + client.BOUNDARY + "--\r\n")
403
404 r = {
405 "CONTENT_LENGTH": len(payload),
406 "CONTENT_TYPE": client.MULTIPART_CONTENT,
407 "PATH_INFO": "/echo/",
408 "REQUEST_METHOD": "POST",
409 "wsgi.input": payload,
410 }
411 response = self.client.request(**r)
412 # The filenames should have been sanitized by the time it got to the
413 # view.
414 received = response.json()
415 for i, name in enumerate(CANDIDATE_TRAVERSAL_FILE_NAMES):
416 got = received["file%s" % i]
417 self.assertEqual(got, "hax0rd.txt")
418
419 def test_filename_overflow(self):
420 """

Callers

nothing calls this directly

Calls 4

writeMethod · 0.95
joinMethod · 0.45
requestMethod · 0.45
jsonMethod · 0.45

Tested by

no test coverage detected