Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-16 09:45:24 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #797 from ErnestHysa/fix/research-path-traversal

Browse Source 
fix(research): validate session_id to block path traversal
This commit is contained in:
PewDiePie
2026-06-02 09:42:23 +09:00
committed by GitHub
parent 7187118aa6 cb6f6b65ea
commit d60ff44c1b
2 changed files with 74 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/test_research_session_id_validation.py
+55
View File
@@ -0,0 +1,55 @@
"""Regression tests: research session_id must reject path-traversal sequences."""
import re
import unittest
_SESSION_ID_RE = re.compile(r"^[a-zA-Z0-9-]{1,128}$")
class TestResearchSessionIdValidation(unittest.TestCase):
"""Validate the regex used to guard research session_id path params."""
def test_accepts_rp_prefixed_id(self):
self.assertIsNotNone(_SESSION_ID_RE.fullmatch("rp-abc123def456"))
def test_accepts_standard_uuid(self):
self.assertIsNotNone(
_SESSION_ID_RE.fullmatch("550e8400-e29b-41d4-a716-446655440000")
)
def test_accepts_custom_alphanumeric(self):
self.assertIsNotNone(_SESSION_ID_RE.fullmatch("custom-id-123"))
def test_rejects_double_dot(self):
self.assertIsNone(_SESSION_ID_RE.fullmatch(".."))
def test_rejects_single_dot(self):
self.assertIsNone(_SESSION_ID_RE.fullmatch("."))
def test_rejects_dot_slash_traversal(self):
self.assertIsNone(_SESSION_ID_RE.fullmatch("../../data/auth"))
def test_rejects_deep_traversal(self):
self.assertIsNone(_SESSION_ID_RE.fullmatch("../../../etc/passwd"))
def test_rejects_mixed_traversal(self):
self.assertIsNone(_SESSION_ID_RE.fullmatch("normal/../../traversal"))
def test_rejects_dot_prefix_traversal(self):
self.assertIsNone(_SESSION_ID_RE.fullmatch("./../../secret"))
def test_rejects_empty(self):
self.assertIsNone(_SESSION_ID_RE.fullmatch(""))
def test_rejects_whitespace(self):
self.assertIsNone(_SESSION_ID_RE.fullmatch(" "))
def test_rejects_slash(self):
self.assertIsNone(_SESSION_ID_RE.fullmatch("a/b"))
def test_rejects_null_byte(self):
self.assertIsNone(_SESSION_ID_RE.fullmatch("rp-test\x00"))
if __name__ == "__main__":
unittest.main()