MCPcopy
hub / github.com/encode/starlette / test_staticfiles_avoids_path_traversal

Function test_staticfiles_avoids_path_traversal

tests/test_staticfiles.py:576–606  ·  view source on GitHub ↗
(tmp_path: Path)

Source from the content-addressed store, hash-verified

574
575
576def test_staticfiles_avoids_path_traversal(tmp_path: Path) -> None:
577 statics_path = tmp_path / "static"
578 statics_disallow_path = tmp_path / "static_disallow"
579
580 statics_path.mkdir()
581 statics_disallow_path.mkdir()
582
583 static_index_file = statics_path / "index.html"
584 statics_disallow_path_index_file = statics_disallow_path / "index.html"
585 static_file = tmp_path / "static1.txt"
586
587 static_index_file.write_text("<h1>Hello</h1>")
588 statics_disallow_path_index_file.write_text("<h1>Private</h1>")
589 static_file.write_text("Private")
590
591 app = StaticFiles(directory=statics_path)
592
593 # We can't test this with 'httpx', so we test the app directly here.
594 path = app.get_path({"path": "/../static1.txt"})
595 with pytest.raises(HTTPException) as exc_info:
596 anyio.run(app.get_response, path, {"method": "GET"})
597
598 assert exc_info.value.status_code == 404
599 assert exc_info.value.detail == "Not Found"
600
601 path = app.get_path({"path": "/../static_disallow/index.html"})
602 with pytest.raises(HTTPException) as exc_info:
603 anyio.run(app.get_response, path, {"method": "GET"})
604
605 assert exc_info.value.status_code == 404
606 assert exc_info.value.detail == "Not Found"
607
608
609def test_staticfiles_rejects_absolute_paths(tmp_path: Path) -> None:

Callers

nothing calls this directly

Calls 2

get_pathMethod · 0.95
StaticFilesClass · 0.90

Tested by

no test coverage detected