Browse files

Validate pathnames before using them

  • Loading branch information...
1 parent 9115505 commit c0fd7bf5adf6d8f200d517a345e5164eef6fbf3f @richo committed Apr 2, 2013
Showing with 20 additions and 1 deletion.
  1. +7 −0 groundstation/gref.py
  2. +13 −1 test/test_gref.py
View
7 groundstation/gref.py
@@ -8,11 +8,18 @@
log = logger.getLogger(__name__)
+def valid_path(path):
+ test_path = os.path.join("/", path)
+ return os.path.realpath(test_path) == test_path
+
+
class Gref(object):
def __init__(self, store, channel, identifier):
self.store = store
self.channel = channel.replace("/", "_")
+ assert valid_path(self.channel), "Invalid channel"
self.identifier = identifier
+ assert valid_path(self.identifier), "Invalid identifier"
self._node_path = os.path.join(self.store.gref_path(),
self.channel,
self.identifier)
View
14 test/test_gref.py
@@ -1,7 +1,7 @@
import store_fixture
import groundstation.store
-from groundstation.gref import Gref
+from groundstation.gref import Gref, valid_path
class TestGitGref(store_fixture.StoreTestCase):
@@ -56,3 +56,15 @@ def test_direct_parents(self):
gref.write_tip(final_oid, "")
self.assertEqual(gref.direct_parents(final_oid), first_tier)
+
+ def test_valid_path_works(self):
+ self.assertTrue(valid_path("asdf"))
+ self.assertTrue(valid_path("asdf/foo"))
+ self.assertFalse(valid_path("../asdf/asdfasdf"))
+ self.assertFalse(valid_path("././asdf/asdfasdf"))
+ self.assertFalse(valid_path("asdf/../asdfasdf"))
+
+ def test_raises_on_suspicious_path(self):
+ self.assertRaises(AssertionError, Gref, self.repo, "testchannel", "test_write_tip/../hax")
+ self.assertRaises(AssertionError, Gref, self.repo, "testchannel", ".")
+ self.assertRaises(AssertionError, Gref, self.repo, "testchannel", "..")

0 comments on commit c0fd7bf

Please sign in to comment.