Files @ 94c56bb468cb
Branch filter:

Location: website/conservancy/tests.py

94c56bb468cb 1.3 KiB text/x-python Show Annotation Show as Raw Download as Raw
bsturmfels
Rewrite the `index` view to avoid risk of path traversal

I've simplified this view by removing the custom HTTP error handlers, Python 3.5
exception handling and adding documentation.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import datetime

from django.http import Http404
from django.test import RequestFactory, TestCase

from . import views
from conservancy.fundgoal.models import FundraisingGoal


class ContentTest(TestCase):
    def setUp(self):
        self.factory = RequestFactory()
        FundraisingGoal.objects.create(
            fundraiser_code_name='cy2023-end-year-match',
            fundraiser_goal_amount=0,
            fundraiser_so_far_amount=0,
            fundraiser_donation_count=0,
            fundraiser_donation_count_disclose_threshold=0,
            fundraiser_endtime=datetime.datetime(2000, 1, 1)
        )

    def test_about_page_served(self):
        request = self.factory.get('/about/')
        with self.assertTemplateUsed('about/index.html'):
            response = views.index(request).render()
        self.assertContains(response, 'Conservancy is a nonprofit organization')

    def test_annual_report_file_served(self):
        request = self.factory.get('/docs/conservancy_annual-report_fy-2011.pdf')
        response = views.index(request)
        self.assertEqual(response.headers['Content-Type'], 'application/pdf')

    def test_path_traversal_404s(self):
        request = self.factory.get('/about/../../settings.py')
        with self.assertRaises(Http404):
            views.index(request)
Server instance: kapok.sfconservancy.org-18991 This site is powered by Kallithea 0.6.3, which is © 2010–2020 by various authors & licensed under GPLv3. – SupportPrivacy Policy