fix: fix some security issues

2025-06-28 06:41:43 +00:00 · 2023-11-12 22:22:05 +02:00
parent e4a857dad0
commit e823fd3f27
11 changed files with 47 additions and 33 deletions
--- a/tests/ahriman/application/handlers/test_handler_help.py
+++ b/tests/ahriman/application/handlers/test_handler_help.py
@ -18,7 +18,7 @@ def _default_args(args: argparse.Namespace) -> argparse.Namespace:
        argparse.Namespace: generated arguments for these test cases
    """
    args.parser = _parser
-    args.command = None
+    args.subcommand = None
    return args


@ -39,7 +39,7 @@ def test_run_command(args: argparse.Namespace, configuration: Configuration, moc
    must run command for specific subcommand
    """
    args = _default_args(args)
-    args.command = "aur-search"
+    args.subcommand = "aur-search"
    parse_mock = mocker.patch("argparse.ArgumentParser.parse_args")

    _, repository_id = configuration.check_loaded()
--- a/tests/ahriman/application/handlers/test_handler_unsafe_commands.py
+++ b/tests/ahriman/application/handlers/test_handler_unsafe_commands.py
@ -19,7 +19,7 @@ def _default_args(args: argparse.Namespace) -> argparse.Namespace:
        argparse.Namespace: generated arguments for these test cases
    """
    args.parser = _parser
-    args.command = []
+    args.subcommand = []
    return args


@ -43,7 +43,7 @@ def test_run_check(args: argparse.Namespace, configuration: Configuration, mocke
    must run command and check if command is unsafe
    """
    args = _default_args(args)
-    args.command = ["clean"]
+    args.subcommand = ["clean"]
    commands_mock = mocker.patch("ahriman.application.handlers.UnsafeCommands.get_unsafe_commands",
                                 return_value=["command"])
    check_mock = mocker.patch("ahriman.application.handlers.UnsafeCommands.check_unsafe")
--- a/tests/ahriman/application/test_lock.py
+++ b/tests/ahriman/application/test_lock.py
@ -88,7 +88,7 @@ def test_clear(lock: Lock) -> None:
    """
    must remove lock file
    """
-    lock.path = Path(tempfile.mktemp())  # nosec
+    lock.path = Path(tempfile.gettempdir()) / "ahriman-test.lock"
    lock.path.touch()

    lock.clear()
@ -99,7 +99,7 @@ def test_clear_missing(lock: Lock) -> None:
    """
    must not fail on lock removal if file is missing
    """
-    lock.path = Path(tempfile.mktemp())  # nosec
+    lock.path = Path(tempfile.gettempdir()) / "ahriman-test.lock"
    lock.clear()


@ -116,7 +116,7 @@ def test_create(lock: Lock) -> None:
    """
    must create lock
    """
-    lock.path = Path(tempfile.mktemp())  # nosec
+    lock.path = Path(tempfile.gettempdir()) / "ahriman-test.lock"

    lock.create()
    assert lock.path.is_file()
@ -127,7 +127,7 @@ def test_create_exception(lock: Lock) -> None:
    """
    must raise exception if file already exists
    """
-    lock.path = Path(tempfile.mktemp())  # nosec
+    lock.path = Path(tempfile.gettempdir()) / "ahriman-test.lock"
    lock.path.touch()

    with pytest.raises(DuplicateRunError):
@ -149,7 +149,7 @@ def test_create_unsafe(lock: Lock) -> None:
    must not raise exception if force flag set
    """
    lock.force = True
-    lock.path = Path(tempfile.mktemp())  # nosec
+    lock.path = Path(tempfile.gettempdir()) / "ahriman-test.lock"
    lock.path.touch()

    lock.create()
@ -161,7 +161,7 @@ def test_watch(lock: Lock, mocker: MockerFixture) -> None:
    must check if lock file exists
    """
    wait_mock = mocker.patch("ahriman.models.waiter.Waiter.wait")
-    lock.path = Path(tempfile.mktemp())  # nosec
+    lock.path = Path(tempfile.gettempdir()) / "ahriman-test.lock"

    lock.watch()
    wait_mock.assert_called_once_with(lock.path.is_file)
--- a/tests/ahriman/web/views/test_view_static.py
+++ b/tests/ahriman/web/views/test_view_static.py
@ -24,8 +24,19 @@ def test_routes() -> None:

 async def test_get(client_with_auth: TestClient) -> None:
    """
-    must generate status page correctly (/)
+    must redirect favicon to static files
    """
    response = await client_with_auth.get("/favicon.ico", allow_redirects=False)
    assert response.status == 302
    assert response.headers["Location"] == "/static/favicon.ico"
+
+
+async def test_get_not_found(client_with_auth: TestClient) -> None:
+    """
+    must raise not found if path is invalid
+    """
+    for route in client_with_auth.app.router.routes():
+        if hasattr(route.handler, "ROUTES"):
+            route.handler.ROUTES = []
+    response = await client_with_auth.get("/favicon.ico", allow_redirects=False)
+    assert response.status == 404