hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Add test for Django FileField upload_to

Browse Source 
The output from running the test script is:

```
'rootdir/bar'
[13/Apr/2022 09:20:36] "POST /app/file-test/ HTTP/1.1" 200 2
'rootdir/bar'
[13/Apr/2022 09:20:36] "POST /app/file-test/ HTTP/1.1" 200 2
'rootdir/foo%2fbar'
[13/Apr/2022 09:20:36] "POST /app/file-test/ HTTP/1.1" 200 2
'rootdir/%2e%2e%2fbar'
[13/Apr/2022 09:20:36] "POST /app/file-test/ HTTP/1.1" 200 2
'rootdir/foo%c0%afbar'
[13/Apr/2022 09:20:36] "POST /app/file-test/ HTTP/1.1" 200 2
```

I didn't add a `.py` extension, so it wasn't extracted, since we don't
actually care about what we model in that file.
This commit is contained in:
Rasmus Wriedt Larsen
2022-04-13 11:25:15 +02:00
parent 304713ca87
commit c87b3087be
6 changed files with 63 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
python/ql/test/library-tests/frameworks/django-v2-v3/.gitignore vendored Normal file
View File

@@ -0,0 +1,5 @@
db.sqlite3
# The testapp/migrations/ folder needs to be comitted to git,
# but we don't care to store the actual migrations
testapp/migrations/

31
python/ql/test/library-tests/frameworks/django-v2-v3/test_file_field Executable file
View File

@@ -0,0 +1,31 @@
#!/usr/bin/env python3
# first run the server with
# python manage.py makemigrations && python manage.py migrate && python manage.py runserver
import requests
requests.post(
"http://127.0.0.1:8000/app/file-test/",
files={"fieldname": ("foo/bar", open("/home/rasmus/TODO", "rb"))}
)
requests.post(
"http://127.0.0.1:8000/app/file-test/",
files={"fieldname": ("../bar", open("/home/rasmus/TODO", "rb"))}
)
requests.post(
"http://127.0.0.1:8000/app/file-test/",
files={"fieldname": (r"foo%2fbar", open("/home/rasmus/TODO", "rb"))}
)
requests.post(
"http://127.0.0.1:8000/app/file-test/",
files={"fieldname": (r"%2e%2e%2fbar", open("/home/rasmus/TODO", "rb"))}
)
requests.post(
"http://127.0.0.1:8000/app/file-test/",
files={"fieldname": (r"foo%c0%afbar", open("/home/rasmus/TODO", "rb"))}
)

9
python/ql/test/library-tests/frameworks/django-v2-v3/testapp/models.py
View File

@@ -1,3 +1,10 @@
import os.path
from django.db import models
# Create your models here.
def custom_path_function(instance, filename):
print(repr(os.path.join("rootdir", filename)))
raise NotImplementedError()
class MyModel(models.Model):
upload = models.FileField(upload_to=custom_path_function)

2
python/ql/test/library-tests/frameworks/django-v2-v3/testapp/urls.py
View File

@@ -14,6 +14,8 @@ urlpatterns = [
path("CustomRedirectView/<foo>", views.CustomRedirectView.as_view()), # $routeSetup="CustomRedirectView/<foo>"
path("CustomRedirectView2/<foo>", views.CustomRedirectView2.as_view()), # $routeSetup="CustomRedirectView2/<foo>"
path("file-test/", views.file_test), # $routeSetup="file-test/"
]
from django import __version__ as django_version

11
python/ql/test/library-tests/frameworks/django-v2-v3/testapp/views.py
View File

@@ -2,6 +2,7 @@ from django.http import HttpRequest, HttpResponse
from django.views.generic import View, RedirectView
from django.views.decorators.csrf import csrf_exempt
from .models import MyModel
def foo(request: HttpRequest): # $requestHandler
return HttpResponse("foo") # $HttpResponse
@@ -45,3 +46,13 @@ class CustomRedirectView(RedirectView):
class CustomRedirectView2(RedirectView):
url = "https://example.com/%(foo)s"
# Test of FileField upload_to functions
def file_test(request: HttpRequest): # $ requestHandler
model = MyModel(upload=request.FILES['fieldname'])
try:
model.save()
except NotImplementedError:
pass
return HttpResponse("ok") # $ HttpResponse

12
python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
View File

@@ -74,12 +74,12 @@ WSGI_APPLICATION = 'testproj.wsgi.application'
# Database
# https://docs.djangoproject.com/en/3.1/ref/settings/#databases
# DATABASES = {
# 'default': {
# 'ENGINE': 'django.db.backends.sqlite3',
# 'NAME': BASE_DIR / 'db.sqlite3',
# }
# }
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': BASE_DIR / 'db.sqlite3',
}
}
# Password validation