diff options
| -rw-r--r-- | snekbox/api/resources/eval.py | 6 | ||||
| -rw-r--r-- | tests/api/test_eval.py | 11 | 
2 files changed, 10 insertions, 7 deletions
| diff --git a/snekbox/api/resources/eval.py b/snekbox/api/resources/eval.py index cedeb2e..764cc0b 100644 --- a/snekbox/api/resources/eval.py +++ b/snekbox/api/resources/eval.py @@ -33,7 +33,11 @@ class EvalResource:                  "items": {                      "type": "object",                      "properties": { -                        "path": {"type": "string"}, +                        "path": { +                            "type": "string", +                            # Disallow single forward slashes, absolute paths, and null bytes +                            "pattern": r"^[^/\\0].*", +                        },                          "content": {"type": "string"},                      },                      "required": ["path"], diff --git a/tests/api/test_eval.py b/tests/api/test_eval.py index c103880..41bdd35 100644 --- a/tests/api/test_eval.py +++ b/tests/api/test_eval.py @@ -78,8 +78,10 @@ class TestEvalResource(SnekAPITestCase):                  self.assertEqual(expected, result.json)      def test_files_illegal_path_absolute(self): -        """Absolute file paths should be denied with 400 error.""" +        """Absolute file paths should 400-error at json schema validation stage."""          test_paths = [ +            "/", +            "/etc",              "/etc/vars/secrets",              "/absolute",              "/file.bin", @@ -89,11 +91,8 @@ class TestEvalResource(SnekAPITestCase):                  body = {"args": ["test.py"], "files": [{"path": path}]}                  result = self.simulate_post(self.PATH, json=body)                  self.assertEqual(result.status_code, 400) -                expected = { -                    "title": "Request file path failed validation", -                    "description": f"File path '{path}' must be relative", -                } -                self.assertEqual(expected, result.json) +                self.assertEqual("Request data failed validation", result.json["title"]) +                self.assertIn("does not match", result.json["description"])      def test_post_invalid_content_type_415(self):          body = "{'input': 'foo'}" | 
