Python django.core.exceptions.SuspiciousFileOperation() Examples
The following are 27
code examples of django.core.exceptions.SuspiciousFileOperation().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
django.core.exceptions
, or try the search function
.
.
Example #1
| Source File: tests.py From djongo with GNU Affero General Public License v3.0 | 6 votes |
|
def test_file_truncation(self):
# Given the max_length is limited, when multiple files get uploaded
# under the same name, then the filename get truncated in order to fit
# in _(7 random chars). When most of the max_length is taken by
# dirname + extension and there are not enough characters in the
# filename to truncate, an exception should be raised.
objs = [Storage() for i in range(2)]
filename = 'filename.ext'
for o in objs:
o.limited_length.save(filename, ContentFile('Same Content'))
try:
# Testing truncation.
names = [o.limited_length.name for o in objs]
self.assertEqual(names[0], 'tests/%s' % filename)
self.assertRegex(names[1], 'tests/fi_%s.ext' % FILE_SUFFIX_REGEX)
# Testing exception is raised when filename is too short to truncate.
filename = 'short.longext'
objs[0].limited_length.save(filename, ContentFile('Same Content'))
with self.assertRaisesMessage(SuspiciousFileOperation, 'Storage can not find an available filename'):
objs[1].limited_length.save(*(filename, ContentFile('Same Content')))
finally:
for o in objs:
o.delete()
Example #2
| Source File: filesystem.py From openhgsenti with Apache License 2.0 | 6 votes |
|
def get_template_sources(self, template_name, template_dirs=None):
"""
Return an Origin object pointing to an absolute path in each directory
in template_dirs. For security reasons, if a path doesn't lie inside
one of the template_dirs it is excluded from the result set.
"""
if not template_dirs:
template_dirs = self.get_dirs()
for template_dir in template_dirs:
try:
name = safe_join(template_dir, template_name)
except SuspiciousFileOperation:
# The joined path was located outside of this template_dir
# (it might be inside another one, so this isn't fatal).
continue
yield Origin(
name=name,
template_name=template_name,
loader=self,
)
Example #3
| Source File: filesystem.py From python2017 with MIT License | 6 votes |
|
def get_template_sources(self, template_name, template_dirs=None):
"""
Return an Origin object pointing to an absolute path in each directory
in template_dirs. For security reasons, if a path doesn't lie inside
one of the template_dirs it is excluded from the result set.
"""
if not template_dirs:
template_dirs = self.get_dirs()
for template_dir in template_dirs:
try:
name = safe_join(template_dir, template_name)
except SuspiciousFileOperation:
# The joined path was located outside of this template_dir
# (it might be inside another one, so this isn't fatal).
continue
yield Origin(
name=name,
template_name=template_name,
loader=self,
)
Example #4
| Source File: filesystem.py From python with Apache License 2.0 | 6 votes |
|
def get_template_sources(self, template_name, template_dirs=None):
"""
Return an Origin object pointing to an absolute path in each directory
in template_dirs. For security reasons, if a path doesn't lie inside
one of the template_dirs it is excluded from the result set.
"""
if not template_dirs:
template_dirs = self.get_dirs()
for template_dir in template_dirs:
try:
name = safe_join(template_dir, template_name)
except SuspiciousFileOperation:
# The joined path was located outside of this template_dir
# (it might be inside another one, so this isn't fatal).
continue
yield Origin(
name=name,
template_name=template_name,
loader=self,
)
Example #5
| Source File: filesystem.py From Hands-On-Application-Development-with-PyCharm with MIT License | 6 votes |
|
def get_template_sources(self, template_name):
"""
Return an Origin object pointing to an absolute path in each directory
in template_dirs. For security reasons, if a path doesn't lie inside
one of the template_dirs it is excluded from the result set.
"""
for template_dir in self.get_dirs():
try:
name = safe_join(template_dir, template_name)
except SuspiciousFileOperation:
# The joined path was located outside of this template_dir
# (it might be inside another one, so this isn't fatal).
continue
yield Origin(
name=name,
template_name=template_name,
loader=self,
)
Example #6
| Source File: __init__.py From django-gcloud-storage with BSD 3-Clause "New" or "Revised" License | 6 votes |
|
def safe_join(base, path):
base = force_text(base).replace("\\", "/").lstrip("/").rstrip("/") + "/"
path = force_text(path).replace("\\", "/").lstrip("/")
# Ugh... there must be a better way that I can't think of right now
if base == "/":
base = ""
resolved_url = urlparse.urljoin(base, path)
resolved_url = re.sub("//+", "/", resolved_url)
if not resolved_url.startswith(base):
raise SuspiciousFileOperation(
'The joined path ({}) is located outside of the base path '
'component ({})'.format(resolved_url, base))
return resolved_url
Example #7
| Source File: template_override_middleware.py From janeway with GNU Affero General Public License v3.0 | 6 votes |
|
def get_template_sources(self, template_name, template_dirs=None):
"""
Return an Origin object pointing to an absolute path in each directory
in template_dirs. For security reasons, if a path doesn't lie inside
one of the template_dirs it is excluded from the result set.
"""
if not template_dirs:
template_dirs = self.get_dirs()
for template_dir in template_dirs:
try:
name = safe_join(template_dir, template_name)
except SuspiciousFileOperation:
# The joined path was located outside of this template_dir
# (it might be inside another one, so this isn't fatal).
continue
yield Origin(
name=name,
template_name=template_name,
loader=self,
)
Example #8
| Source File: storage.py From lego with MIT License | 6 votes |
|
def get_available_name(self, bucket, key, max_length=32, force_name_change=False):
file_root, file_ext = os.path.splitext(key)
while (
force_name_change
or self.key_exists(bucket, key)
or (max_length and len(key) > max_length)
):
force_name_change = False
# file_ext includes the dot.
key = "%s_%s%s" % (file_root, get_random_string(7), file_ext)
if max_length is None:
continue
# Truncate file_root if max_length exceeded.
truncation = len(key) - max_length
if truncation > 0:
file_root = file_root[:-truncation]
# Entire file_root was truncated in attempt to find an available filename.
if not file_root:
raise SuspiciousFileOperation(
'Storage can not find an available filename for "%s". '
"Please make sure that the corresponding file field "
'allows sufficient "max_length".' % key
)
key = "%s_%s%s" % (file_root, get_random_string(7), file_ext)
return key
Example #9
| Source File: filesystem.py From bioforum with MIT License | 6 votes |
|
def get_template_sources(self, template_name):
"""
Return an Origin object pointing to an absolute path in each directory
in template_dirs. For security reasons, if a path doesn't lie inside
one of the template_dirs it is excluded from the result set.
"""
for template_dir in self.get_dirs():
try:
name = safe_join(template_dir, template_name)
except SuspiciousFileOperation:
# The joined path was located outside of this template_dir
# (it might be inside another one, so this isn't fatal).
continue
yield Origin(
name=name,
template_name=template_name,
loader=self,
)
Example #10
| Source File: models.py From wagtailvideos with BSD 3-Clause "New" or "Revised" License | 6 votes |
|
def get_upload_to(self, filename):
folder_name = 'original_videos'
filename = self.file.field.storage.get_valid_name(filename)
max_length = self._meta.get_field('file').max_length
# Truncate filename so it fits in the 100 character limit
# https://code.djangoproject.com/ticket/9893
file_path = os.path.join(folder_name, filename)
too_long = len(file_path) - max_length
if too_long > 0:
head, ext = os.path.splitext(filename)
if too_long > len(head) + 1:
raise SuspiciousFileOperation('File name can not be shortened to a safe length')
filename = head[:-too_long] + ext
file_path = os.path.join(folder_name, filename)
return os.path.join(folder_name, filename)
Example #11
| Source File: template_loaders.py From tethys with BSD 2-Clause "Simplified" License | 6 votes |
|
def get_template_sources(self, template_name, template_dirs=None):
"""
Return an Origin object pointing to an absolute path in each directory
in template_dirs. For security reasons, if a path doesn't lie inside
one of the template_dirs it is excluded from the result set.
"""
if not template_dirs:
template_dirs = get_directories_in_tethys(('templates',))
for template_dir in template_dirs:
try:
name = safe_join(template_dir, template_name)
except SuspiciousFileOperation:
# The joined path was located outside of this template_dir
# (it might be inside another one, so this isn't fatal).
continue
yield Origin(
name=name,
template_name=template_name,
loader=self,
)
Example #12
| Source File: _os.py From python with Apache License 2.0 | 5 votes |
|
def safe_join(base, *paths):
"""
Joins one or more path components to the base path component intelligently.
Returns a normalized, absolute version of the final path.
The final path must be located inside of the base path component (otherwise
a ValueError is raised).
"""
base = force_text(base)
paths = [force_text(p) for p in paths]
final_path = abspathu(join(base, *paths))
base_path = abspathu(base)
# Ensure final_path starts with base_path (using normcase to ensure we
# don't false-negative on case insensitive operating systems like Windows),
# further, one of the following conditions must be true:
# a) The next character is the path separator (to prevent conditions like
# safe_join("/dir", "/../d"))
# b) The final path must be the same as the base path.
# c) The base path must be the most root path (meaning either "/" or "C:\\")
if (not normcase(final_path).startswith(normcase(base_path + sep)) and
normcase(final_path) != normcase(base_path) and
dirname(normcase(base_path)) != normcase(base_path)):
raise SuspiciousFileOperation(
'The joined path ({}) is located outside of the base path '
'component ({})'.format(final_path, base_path))
return final_path
Example #13
| Source File: tests.py From djongo with GNU Affero General Public License v3.0 | 5 votes |
|
def test_file_storage_prevents_directory_traversal(self):
"""
File storage prevents directory traversal (files can only be accessed if
they're below the storage location).
"""
with self.assertRaises(SuspiciousFileOperation):
self.storage.exists('..')
with self.assertRaises(SuspiciousFileOperation):
self.storage.exists('/etc/passwd')
Example #14
| Source File: test_os_utils.py From djongo with GNU Affero General Public License v3.0 | 5 votes |
|
def test_parent_path(self):
with self.assertRaises(SuspiciousFileOperation):
safe_join("/abc/", "../def")
Example #15
| Source File: test_os_utils.py From djongo with GNU Affero General Public License v3.0 | 5 votes |
|
def test_parent_path(self):
with self.assertRaises(SuspiciousFileOperation):
safe_join("/abc/", "../def")
Example #16
| Source File: test_utils.py From django-storages with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def test_truncates_away_filename_raises(self):
name = 'parent/child.txt'
with self.assertRaises(SuspiciousFileOperation):
gaon(name, len(name) - 5)
Example #17
| Source File: test_template_loaders.py From tethys with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_get_template_sources_exception(self, mock_gdt, _, mock_safe_join):
from django.core.exceptions import SuspiciousFileOperation
tethys_template_loader = TethysTemplateLoader(self.mock_engine)
mock_gdt.return_value = ['/foo/template1', '/foo/template2']
mock_safe_join.side_effect = [SuspiciousFileOperation, '/foo/template2/foo']
expected_template_name = 'foo'
for origin in tethys_template_loader.get_template_sources(expected_template_name):
self.assertEqual('/foo/template2/foo', origin.name)
self.assertEqual('foo', origin.template_name)
self.assertTrue(isinstance(origin.loader, TethysTemplateLoader))
Example #18
| Source File: _os.py From python2017 with MIT License | 5 votes |
|
def safe_join(base, *paths):
"""
Joins one or more path components to the base path component intelligently.
Returns a normalized, absolute version of the final path.
The final path must be located inside of the base path component (otherwise
a ValueError is raised).
"""
base = force_text(base)
paths = [force_text(p) for p in paths]
final_path = abspathu(join(base, *paths))
base_path = abspathu(base)
# Ensure final_path starts with base_path (using normcase to ensure we
# don't false-negative on case insensitive operating systems like Windows),
# further, one of the following conditions must be true:
# a) The next character is the path separator (to prevent conditions like
# safe_join("/dir", "/../d"))
# b) The final path must be the same as the base path.
# c) The base path must be the most root path (meaning either "/" or "C:\\")
if (not normcase(final_path).startswith(normcase(base_path + sep)) and
normcase(final_path) != normcase(base_path) and
dirname(normcase(base_path)) != normcase(base_path)):
raise SuspiciousFileOperation(
'The joined path ({}) is located outside of the base path '
'component ({})'.format(final_path, base_path))
return final_path
Example #19
| Source File: _os.py From openhgsenti with Apache License 2.0 | 5 votes |
|
def safe_join(base, *paths):
"""
Joins one or more path components to the base path component intelligently.
Returns a normalized, absolute version of the final path.
The final path must be located inside of the base path component (otherwise
a ValueError is raised).
"""
base = force_text(base)
paths = [force_text(p) for p in paths]
final_path = abspathu(join(base, *paths))
base_path = abspathu(base)
# Ensure final_path starts with base_path (using normcase to ensure we
# don't false-negative on case insensitive operating systems like Windows),
# further, one of the following conditions must be true:
# a) The next character is the path separator (to prevent conditions like
# safe_join("/dir", "/../d"))
# b) The final path must be the same as the base path.
# c) The base path must be the most root path (meaning either "/" or "C:\\")
if (not normcase(final_path).startswith(normcase(base_path + sep)) and
normcase(final_path) != normcase(base_path) and
dirname(normcase(base_path)) != normcase(base_path)):
raise SuspiciousFileOperation(
'The joined path ({}) is located outside of the base path '
'component ({})'.format(final_path, base_path))
return final_path
Example #20
| Source File: _os.py From GTDWeb with GNU General Public License v2.0 | 5 votes |
|
def safe_join(base, *paths):
"""
Joins one or more path components to the base path component intelligently.
Returns a normalized, absolute version of the final path.
The final path must be located inside of the base path component (otherwise
a ValueError is raised).
"""
base = force_text(base)
paths = [force_text(p) for p in paths]
final_path = abspathu(join(base, *paths))
base_path = abspathu(base)
# Ensure final_path starts with base_path (using normcase to ensure we
# don't false-negative on case insensitive operating systems like Windows),
# further, one of the following conditions must be true:
# a) The next character is the path separator (to prevent conditions like
# safe_join("/dir", "/../d"))
# b) The final path must be the same as the base path.
# c) The base path must be the most root path (meaning either "/" or "C:\\")
if (not normcase(final_path).startswith(normcase(base_path + sep)) and
normcase(final_path) != normcase(base_path) and
dirname(normcase(base_path)) != normcase(base_path)):
raise SuspiciousFileOperation(
'The joined path ({}) is located outside of the base path '
'component ({})'.format(final_path, base_path))
return final_path
Example #21
| Source File: _os.py From Hands-On-Application-Development-with-PyCharm with MIT License | 5 votes |
|
def safe_join(base, *paths):
"""
Join one or more path components to the base path component intelligently.
Return a normalized, absolute version of the final path.
Raise ValueError if the final path isn't located inside of the base path
component.
"""
base = force_text(base)
paths = [force_text(p) for p in paths]
final_path = abspath(join(base, *paths))
base_path = abspath(base)
# Ensure final_path starts with base_path (using normcase to ensure we
# don't false-negative on case insensitive operating systems like Windows),
# further, one of the following conditions must be true:
# a) The next character is the path separator (to prevent conditions like
# safe_join("/dir", "/../d"))
# b) The final path must be the same as the base path.
# c) The base path must be the most root path (meaning either "/" or "C:\\")
if (not normcase(final_path).startswith(normcase(base_path + sep)) and
normcase(final_path) != normcase(base_path) and
dirname(normcase(base_path)) != normcase(base_path)):
raise SuspiciousFileOperation(
'The joined path ({}) is located outside of the base path '
'component ({})'.format(final_path, base_path))
return final_path
Example #22
| Source File: templates.py From zing with GNU General Public License v3.0 | 5 votes |
|
def get_template_source(name, dirs=None):
"""Retrieves the template's source contents.
:param name: Template's filename, as passed to the template loader.
:param dirs: list of directories to optionally override the defaults.
:return: tuple including file contents and file path.
"""
loaders = []
for loader in Engine.get_default().template_loaders:
# The cached loader includes the actual loaders underneath
if hasattr(loader, "loaders"):
loaders.extend(loader.loaders)
else:
loaders.append(loader)
for loader in loaders:
for template_dir in loader.get_dirs():
try:
filename = safe_join(template_dir, name)
except SuspiciousFileOperation:
# The joined path was located outside of this template_dir
# (it might be inside another one, so this isn't fatal).
continue
try:
with open(filename, encoding=loader.engine.file_charset) as fp:
return fp.read()
except FileNotFoundError:
continue
raise TemplateDoesNotExist(name)
Example #23
| Source File: test_class.py From django-gcloud-storage with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def test_should_not_allow_escaping_base_path(self):
with pytest.raises(SuspiciousFileOperation):
safe_join("test", "../index.html")
with pytest.raises(SuspiciousFileOperation):
safe_join("test", "/../index.html")
Example #24
| Source File: _os.py From bioforum with MIT License | 5 votes |
|
def safe_join(base, *paths):
"""
Join one or more path components to the base path component intelligently.
Return a normalized, absolute version of the final path.
Raise ValueError if the final path isn't located inside of the base path
component.
"""
base = force_text(base)
paths = [force_text(p) for p in paths]
final_path = abspath(join(base, *paths))
base_path = abspath(base)
# Ensure final_path starts with base_path (using normcase to ensure we
# don't false-negative on case insensitive operating systems like Windows),
# further, one of the following conditions must be true:
# a) The next character is the path separator (to prevent conditions like
# safe_join("/dir", "/../d"))
# b) The final path must be the same as the base path.
# c) The base path must be the most root path (meaning either "/" or "C:\\")
if (not normcase(final_path).startswith(normcase(base_path + sep)) and
normcase(final_path) != normcase(base_path) and
dirname(normcase(base_path)) != normcase(base_path)):
raise SuspiciousFileOperation(
'The joined path ({}) is located outside of the base path '
'component ({})'.format(final_path, base_path))
return final_path
Example #25
| Source File: storage.py From GTDWeb with GNU General Public License v2.0 | 5 votes |
|
def get_available_name(self, name, max_length=None):
"""
Returns a filename that's free on the target storage system, and
available for new content to be written to.
"""
dir_name, file_name = os.path.split(name)
file_root, file_ext = os.path.splitext(file_name)
# If the filename already exists, add an underscore and a random 7
# character alphanumeric string (before the file extension, if one
# exists) to the filename until the generated filename doesn't exist.
# Truncate original name if required, so the new filename does not
# exceed the max_length.
while self.exists(name) or (max_length and len(name) > max_length):
# file_ext includes the dot.
name = os.path.join(dir_name, "%s_%s%s" % (file_root, get_random_string(7), file_ext))
if max_length is None:
continue
# Truncate file_root if max_length exceeded.
truncation = len(name) - max_length
if truncation > 0:
file_root = file_root[:-truncation]
# Entire file_root was truncated in attempt to find an available filename.
if not file_root:
raise SuspiciousFileOperation(
'Storage can not find an available filename for "%s". '
'Please make sure that the corresponding file field '
'allows sufficient "max_length".' % name
)
name = os.path.join(dir_name, "%s_%s%s" % (file_root, get_random_string(7), file_ext))
return name
Example #26
| Source File: filesystem.py From GTDWeb with GNU General Public License v2.0 | 5 votes |
|
def get_template_sources(self, template_name, template_dirs=None):
"""
Returns the absolute paths to "template_name", when appended to each
directory in "template_dirs". Any paths that don't lie inside one of the
template dirs are excluded from the result set, for security reasons.
"""
if not template_dirs:
template_dirs = self.engine.dirs
for template_dir in template_dirs:
try:
yield safe_join(template_dir, template_name)
except SuspiciousFileOperation:
# The joined path was located outside of this template_dir
# (it might be inside another one, so this isn't fatal).
pass
Example #27
| Source File: app_directories.py From GTDWeb with GNU General Public License v2.0 | 5 votes |
|
def get_template_sources(self, template_name, template_dirs=None):
"""
Returns the absolute paths to "template_name", when appended to each
directory in "template_dirs". Any paths that don't lie inside one of the
template dirs are excluded from the result set, for security reasons.
"""
if not template_dirs:
template_dirs = get_app_template_dirs('templates')
for template_dir in template_dirs:
try:
yield safe_join(template_dir, template_name)
except SuspiciousFileOperation:
# The joined path was located outside of this template_dir
# (it might be inside another one, so this isn't fatal).
pass
