Merge branch 'master' of ssh://gitlab.version.fz-juelich.de:10022/rybicki1/datacatalog

cc46135d · Christian Boettcher · a463866a · 5f4fcebd · cc46135d · cc46135d
Commit cc46135d authored Jun 10, 2021 by Christian Boettcher
--- a/README.md
+++ b/README.md
@@ -70,9 +70,13 @@ More information about uvicorn settings (including information about how to bind

 ### Testing

-First ensure that the `pytest` package is installed (It is included in the `requirements.txt`).
+First ensure that the `pytest` package is installed (It is included in the `testing_requirements.txt`).

-Tests are located in the `apiserver_tests` directory. They can be executed by simply running `pytest` while in the project folder.
+Tests are located in the `apiserver_tests` directory. They can be executed by simply running `pytest` while in the project folder. You can also use
+nose for test (also included in `testing_requirements.txt`), for instance for tests with coverage report in html format run following:
+```bash
+nosetests --with-coverage --cover-package=apiserver --cover-html
+```

 If more test-files should be added, they should be named with a `test_` prefix and put into a similarily named folder, so that they can be auto-detected.

@@ -80,7 +84,6 @@ The `context.py` file helps with importing the apiserver-packages, so that the t



-
 ### Using the docker image

 #### Building the docker image

--- a/apiserver/storage/JsonFileStorageAdapter.py
+++ b/apiserver/storage/JsonFileStorageAdapter.py
@@ -50,11 +50,16 @@ class JsonFileStorageAdapter(AbstractLocationDataStorageAdapter):

    def __get_object_path(self, value: str, oid: str) -> str:
        localpath = os.path.join(self.data_dir, value)
-        fullpath = os.path.join(localpath, oid)
-        if not os.path.isfile(fullpath):
+        full_path = os.path.join(localpath, oid)
+        common = os.path.commonprefix((os.path.realpath(full_path),os.path.realpath(self.data_dir)))
+        if common != os.path.realpath(self.data_dir):
+            print(f"Escaping the data dir! {common} {full_path}")
+            raise FileNotFoundError()
+            
+        if not os.path.isfile(full_path):
            raise FileNotFoundError(
-                f"The requested object ({oid}) does not exist.")
-        return fullpath
+                f"The requested object ({oid}) {full_path} does not exist.")
+        return full_path

    def get_list(self, n_type: LocationDataType) -> List:
        local_path = self.__setup_path(n_type.value)

--- a/tests/apiserver_tests/test_put.py
+++ b/tests/apiserver_tests/test_put.py
-# These Tests check if the PUT calls work as intended, checking both valid puts and invalid puts
-
-from fastapi.testclient import TestClient
-
-from context import apiserver
-from context import storage
-
-client = TestClient(apiserver.app)
-
-# PUT a new dataset, store the id in global variable, verify via a GET if it worked
-
-# PUT an invalid type (i.e. a type not in the enum)
--- a/tests/storage_tests/test_jsonbackend.py
+++ b/tests/storage_tests/test_jsonbackend.py
@@ -6,6 +6,7 @@ from collections import namedtuple
 import os
 import pathlib
 import shutil
+import json


 class SomeTests(unittest.TestCase):
@@ -81,3 +82,21 @@ class SomeTests(unittest.TestCase):
                                              data=new_data, usr='tst2')
        self.assertEqual(new_data, r)
        self.assertEqual(oid, oid2)
+
+
+    def test_path_traversal(self):
+        l_data = LocationData(name='test1', url='http://n.go', metadata=[])
+
+        with open('/tmp/hackme', 'w+') as f:
+            json.dump({'secret': 'data', 'users': [], 'actualData': {'name': 'some', 'url': 'oo'}}, f)
+
+        (oid, data) = self.store.add_new(n_type=LocationDataType.DATASET, data=l_data, user_name='test_user')
+        details = None
+        try: 
+            details = self.store.get_details(n_type=LocationDataType.DATASET, oid='../../../tmp/hackme')
+        except:
+            pass 
+        print(details)
+        self.assertIsNone(details)
+
+