Browse Source

Add tighter parameter checks in hc.front.views.serve_doc

pull/464/head
Pēteris Caune 4 years ago
parent
commit
0f1abd3498
No known key found for this signature in database GPG Key ID: E28D7679E9A9EDE2
3 changed files with 43 additions and 0 deletions
  1. +6
    -0
      CHANGELOG.md
  2. +31
    -0
      hc/front/tests/test_serve_doc.py
  3. +6
    -0
      hc/front/views.py

+ 6
- 0
CHANGELOG.md View File

@ -1,6 +1,12 @@
# Changelog
All notable changes to this project will be documented in this file.
## v1.19.0 - Unreleased
## Improvements
- Add tighter parameter checks in hc.front.views.serve_doc
## v1.18.0 - 2020-12-09
## Improvements


+ 31
- 0
hc/front/tests/test_serve_doc.py View File

@ -0,0 +1,31 @@
from unittest.mock import patch
from django.test import TestCase
class ServeDocTestCase(TestCase):
def test_it_serves_introduction(self):
r = self.client.get("/docs/")
self.assertEqual(r.status_code, 200)
self.assertContains(r, "<strong>keeps silent</strong>")
def test_it_serves_subpage(self):
r = self.client.get("/docs/reliability_tips/")
self.assertEqual(r.status_code, 200)
self.assertContains(r, "Pinging Reliability Tips")
def test_it_handles_bad_url(self):
r = self.client.get("/docs/does_not_exist/")
self.assertEqual(r.status_code, 404)
@patch("hc.front.views.os.path.exists")
def test_it_rejects_bad_characters(self, mock_exists):
r = self.client.get("/docs/NAUGHTY/")
self.assertEqual(r.status_code, 404)
# URL dispatcher's slug filter lets the uppercase letters through,
# but the view should still reject them, before any filesystem
# operations
self.assertFalse(mock_exists.called)

+ 6
- 0
hc/front/views.py View File

@ -1,6 +1,7 @@
from datetime import datetime, timedelta as td
import json
import os
import re
from secrets import token_urlsafe
from urllib.parse import urlencode
@ -314,6 +315,11 @@ def dashboard(request):
def serve_doc(request, doc="introduction"):
# Filenames in /templates/docs/ consist of lowercase letters and underscores,
# -- make sure we don't accept anything else
if not re.match(r"^[a-z_]+$", doc):
raise Http404("not found")
path = os.path.join(settings.BASE_DIR, "templates/docs", doc + ".html")
if not os.path.exists(path):
raise Http404("not found")


Loading…
Cancel
Save