clean filenames in extra_json property

mozilla · Jun 27, 2012 · f43caec · f43caec
1 parent 7dbfabb
commit f43caec
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/apps/jetpack/models.py b/apps/jetpack/models.py
@@ -805,12 +805,20 @@ def set_extra_json(self, extra_json, save=True):
         raises JSONDecodeError
         """
         self.add_commit_message('Extra JSON properties changed')
+        cleaned_json = None
         if extra_json:
-            # if not an empty string or None, just check it is
-            # valid JSON
-            simplejson.loads(extra_json)
-
-        self.extra_json = extra_json
+            # check for valid JSON, plus clean out filenames
+            json = simplejson.loads(extra_json)
+            # possible file names: icon, icon64
+            # also possibly lib, tests, main, but FlightDeck overrides
+            properties_to_check = ('icon', 'icon64',)
+            for prop in properties_to_check:
+                if prop in json:
+                    json[prop] = _clean_filename(json.get(prop))
+
+            cleaned_json = simplejson.dumps(json)
+
+        self.extra_json = cleaned_json
         if save:
             self.save()
 

diff --git a/apps/jetpack/tests/revision_tests.py b/apps/jetpack/tests/revision_tests.py
@@ -395,6 +395,13 @@ def test_adding_invalid_extra_json(self):
         }
         ''')
 
+        from jetpack.errors import IllegalFilenameException
+        self.assertRaises(IllegalFilenameException, rev.set_extra_json, '''
+        {
+            "icon": "/user/sean/.ssh/config"
+        }
+        ''')
+
     def test_add_commit_message(self):
         author = User.objects.all()[0]
         addon = Package(type='a', author=author)