Constrain gallery filenames to image root (#2828)

2026-06-05 10:29:11 +02:00
parent 0dc051dea3
commit 194985b5e1
2 changed files with 94 additions and 11 deletions
--- a/tests/test_gallery_filename_confinement.py
+++ b/tests/test_gallery_filename_confinement.py
@@ -0,0 +1,63 @@
+import os
+from pathlib import Path
+
+import pytest
+from fastapi import HTTPException
+
+
+def _gallery_module():
+    import routes.gallery_routes as gallery_routes
+    return gallery_routes
+
+
+def test_gallery_image_path_allows_safe_filename(tmp_path, monkeypatch):
+    gallery_routes = _gallery_module()
+    image_dir = tmp_path / "generated_images"
+    image_dir.mkdir()
+    monkeypatch.setattr(gallery_routes, "GALLERY_IMAGE_DIR", image_dir)
+
+    path = gallery_routes._gallery_image_path("abc123.png")
+
+    assert path == image_dir / "abc123.png"
+
+
+@pytest.mark.parametrize("filename", ["../../secret.png", "..\\secret.png", None, 12345])
+def test_gallery_image_path_rejects_unsafe_stored_filenames(tmp_path, monkeypatch, filename):
+    gallery_routes = _gallery_module()
+    image_dir = tmp_path / "generated_images"
+    image_dir.mkdir()
+    monkeypatch.setattr(gallery_routes, "GALLERY_IMAGE_DIR", image_dir)
+
+    with pytest.raises(HTTPException) as exc:
+        gallery_routes._gallery_image_path(filename)
+
+    assert exc.value.status_code == 400
+
+
+def test_gallery_image_path_rejects_symlink_escape(tmp_path, monkeypatch):
+    gallery_routes = _gallery_module()
+    image_dir = tmp_path / "generated_images"
+    image_dir.mkdir()
+    outside = tmp_path / "outside.png"
+    outside.write_bytes(b"outside image root")
+    link = image_dir / "escape.png"
+    try:
+        os.symlink(outside, link)
+    except (AttributeError, NotImplementedError, OSError) as exc:
+        pytest.skip(f"symlinks unavailable: {exc}")
+    monkeypatch.setattr(gallery_routes, "GALLERY_IMAGE_DIR", image_dir)
+
+    with pytest.raises(HTTPException) as exc:
+        gallery_routes._gallery_image_path("escape.png")
+
+    assert exc.value.status_code == 400
+
+
+def test_gallery_file_operations_use_confining_resolver():
+    source = Path("routes/gallery_routes.py").read_text(encoding="utf-8")
+
+    assert 'Path("data/generated_images") / img.filename' not in source
+    assert 'os.path.join("data", "generated_images", img.filename)' not in source
+    assert 'os.path.join("data", "generated_images", img_filename)' not in source
+    assert source.count("_gallery_image_path(img.filename)") >= 3
+    assert "_gallery_image_path(img_filename)" in source