(tmp_path: Path)
| 574 | |
| 575 | |
| 576 | def test_staticfiles_avoids_path_traversal(tmp_path: Path) -> None: |
| 577 | statics_path = tmp_path / "static" |
| 578 | statics_disallow_path = tmp_path / "static_disallow" |
| 579 | |
| 580 | statics_path.mkdir() |
| 581 | statics_disallow_path.mkdir() |
| 582 | |
| 583 | static_index_file = statics_path / "index.html" |
| 584 | statics_disallow_path_index_file = statics_disallow_path / "index.html" |
| 585 | static_file = tmp_path / "static1.txt" |
| 586 | |
| 587 | static_index_file.write_text("<h1>Hello</h1>") |
| 588 | statics_disallow_path_index_file.write_text("<h1>Private</h1>") |
| 589 | static_file.write_text("Private") |
| 590 | |
| 591 | app = StaticFiles(directory=statics_path) |
| 592 | |
| 593 | # We can't test this with 'httpx', so we test the app directly here. |
| 594 | path = app.get_path({"path": "/../static1.txt"}) |
| 595 | with pytest.raises(HTTPException) as exc_info: |
| 596 | anyio.run(app.get_response, path, {"method": "GET"}) |
| 597 | |
| 598 | assert exc_info.value.status_code == 404 |
| 599 | assert exc_info.value.detail == "Not Found" |
| 600 | |
| 601 | path = app.get_path({"path": "/../static_disallow/index.html"}) |
| 602 | with pytest.raises(HTTPException) as exc_info: |
| 603 | anyio.run(app.get_response, path, {"method": "GET"}) |
| 604 | |
| 605 | assert exc_info.value.status_code == 404 |
| 606 | assert exc_info.value.detail == "Not Found" |
| 607 | |
| 608 | |
| 609 | def test_staticfiles_rejects_absolute_paths(tmp_path: Path) -> None: |
nothing calls this directly
no test coverage detected