django/tests/file_storage/test_generate_filename.py

import os

from django.core.exceptions import SuspiciousFileOperation
from django.core.files.base import ContentFile
from django.core.files.storage import FileSystemStorage, Storage
from django.db.models import FileField
from django.test import SimpleTestCase


class AWSS3Storage(Storage):
    """
    Simulate an AWS S3 storage which uses Unix-like paths and allows any
    characters in file names but where there aren't actual folders but just
    keys.
    """

    prefix = "mys3folder/"

    def _save(self, name, content):
        """
        This method is important to test that Storage.save() doesn't replace
        '\' with '/' (rather FileSystemStorage.save() does).
        """
        return name

    def get_valid_name(self, name):
        return name

    def get_available_name(self, name, max_length=None):
        return name

    def generate_filename(self, filename):
        """
        This is the method that's important to override when using S3 so that
        os.path() isn't called, which would break S3 keys.
        """
        return self.prefix + self.get_valid_name(filename)


class GenerateFilenameStorageTests(SimpleTestCase):
    def test_storage_dangerous_paths(self):
        candidates = [
            ("/tmp/..", ".."),
            ("/tmp/.", "."),
            ("", ""),
        ]
        s = FileSystemStorage()
        msg = "Could not derive file name from '%s'"
        for file_name, base_name in candidates:
            with self.subTest(file_name=file_name):
                with self.assertRaisesMessage(SuspiciousFileOperation, msg % base_name):
                    s.get_available_name(file_name)
                with self.assertRaisesMessage(SuspiciousFileOperation, msg % base_name):
                    s.generate_filename(file_name)

    def test_storage_dangerous_paths_dir_name(self):
        candidates = [
            ("tmp/../path", "tmp/.."),
            ("tmp\\..\\path", "tmp/.."),
            ("/tmp/../path", "/tmp/.."),
            ("\\tmp\\..\\path", "/tmp/.."),
        ]
        s = FileSystemStorage()
        for file_name, path in candidates:
            msg = "Detected path traversal attempt in '%s'" % path
            with self.subTest(file_name=file_name):
                with self.assertRaisesMessage(SuspiciousFileOperation, msg):
                    s.get_available_name(file_name)
                with self.assertRaisesMessage(SuspiciousFileOperation, msg):
                    s.generate_filename(file_name)

    def test_filefield_dangerous_filename(self):
        candidates = [
            ("..", "some/folder/.."),
            (".", "some/folder/."),
            ("", "some/folder/"),
            ("???", "???"),
            ("$.$.$", "$.$.$"),
        ]
        f = FileField(upload_to="some/folder/")
        for file_name, msg_file_name in candidates:
            msg = f"Could not derive file name from '{msg_file_name}'"
            with self.subTest(file_name=file_name):
                with self.assertRaisesMessage(SuspiciousFileOperation, msg):
                    f.generate_filename(None, file_name)

    def test_filefield_dangerous_filename_dot_segments(self):
        f = FileField(upload_to="some/folder/")
        msg = "Detected path traversal attempt in 'some/folder/../path'"
        with self.assertRaisesMessage(SuspiciousFileOperation, msg):
            f.generate_filename(None, "../path")

    def test_filefield_generate_filename_absolute_path(self):
        f = FileField(upload_to="some/folder/")
        candidates = [
            "/tmp/path",
            "/tmp/../path",
        ]
        for file_name in candidates:
            msg = f"Detected path traversal attempt in '{file_name}'"
            with self.subTest(file_name=file_name):
                with self.assertRaisesMessage(SuspiciousFileOperation, msg):
                    f.generate_filename(None, file_name)

    def test_filefield_generate_filename(self):
        f = FileField(upload_to="some/folder/")
        self.assertEqual(
            f.generate_filename(None, "test with space.txt"),
            os.path.normpath("some/folder/test_with_space.txt"),
        )

    def test_filefield_generate_filename_with_upload_to(self):
        def upload_to(instance, filename):
            return "some/folder/" + filename

        f = FileField(upload_to=upload_to)
        self.assertEqual(
            f.generate_filename(None, "test with space.txt"),
            os.path.normpath("some/folder/test_with_space.txt"),
        )

    def test_filefield_generate_filename_upload_to_overrides_dangerous_filename(self):
        def upload_to(instance, filename):
            return "test.txt"

        f = FileField(upload_to=upload_to)
        candidates = [
            "/tmp/.",
            "/tmp/..",
            "/tmp/../path",
            "/tmp/path",
            "some/folder/",
            "some/folder/.",
            "some/folder/..",
            "some/folder/???",
            "some/folder/$.$.$",
            "some/../test.txt",
            "",
        ]
        for file_name in candidates:
            with self.subTest(file_name=file_name):
                self.assertEqual(f.generate_filename(None, file_name), "test.txt")

    def test_filefield_generate_filename_upload_to_absolute_path(self):
        def upload_to(instance, filename):
            return "/tmp/" + filename

        f = FileField(upload_to=upload_to)
        candidates = [
            "path",
            "../path",
            "???",
            "$.$.$",
        ]
        for file_name in candidates:
            msg = f"Detected path traversal attempt in '/tmp/{file_name}'"
            with self.subTest(file_name=file_name):
                with self.assertRaisesMessage(SuspiciousFileOperation, msg):
                    f.generate_filename(None, file_name)

    def test_filefield_generate_filename_upload_to_dangerous_filename(self):
        def upload_to(instance, filename):
            return "/tmp/" + filename

        f = FileField(upload_to=upload_to)
        candidates = ["..", ".", ""]
        for file_name in candidates:
            msg = f"Could not derive file name from '/tmp/{file_name}'"
            with self.subTest(file_name=file_name):
                with self.assertRaisesMessage(SuspiciousFileOperation, msg):
                    f.generate_filename(None, file_name)

    def test_filefield_awss3_storage(self):
        """
        Simulate a FileField with an S3 storage which uses keys rather than
        folders and names. FileField and Storage shouldn't have any os.path()
        calls that break the key.
        """
        storage = AWSS3Storage()
        folder = "not/a/folder/"

        f = FileField(upload_to=folder, storage=storage)
        key = "my-file-key\\with odd characters"
        data = ContentFile("test")
        expected_key = AWSS3Storage.prefix + folder + key

        # Simulate call to f.save()
        result_key = f.generate_filename(None, key)
        self.assertEqual(result_key, expected_key)

        result_key = storage.save(result_key, data)
        self.assertEqual(result_key, expected_key)

        # Repeat test with a callable.
        def upload_to(instance, filename):
            # Return a non-normalized path on purpose.
            return folder + filename

        f = FileField(upload_to=upload_to, storage=storage)

        # Simulate call to f.save()
        result_key = f.generate_filename(None, key)
        self.assertEqual(result_key, expected_key)

        result_key = storage.save(result_key, data)
        self.assertEqual(result_key, expected_key)
Fixed #26058 -- Delegated os.path bits of FileField's filename generation to the Storage. 2016-03-21 09:51:17 +08:00			`import os`

Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-15 00:23:44 +08:00			`from django.core.exceptions import SuspiciousFileOperation`
Fixed #26058 -- Delegated os.path bits of FileField's filename generation to the Storage. 2016-03-21 09:51:17 +08:00			`from django.core.files.base import ContentFile`
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-15 00:23:44 +08:00			`from django.core.files.storage import FileSystemStorage, Storage`
Fixed #26058 -- Delegated os.path bits of FileField's filename generation to the Storage. 2016-03-21 09:51:17 +08:00			`from django.db.models import FileField`
			`from django.test import SimpleTestCase`


			`class AWSS3Storage(Storage):`
			`"""`
			`Simulate an AWS S3 storage which uses Unix-like paths and allows any`
			`characters in file names but where there aren't actual folders but just`
			`keys.`
			`"""`
Refs #33476 -- Reformatted code with Black. 2022-02-04 03:24:19 +08:00
Fixed #26058 -- Delegated os.path bits of FileField's filename generation to the Storage. 2016-03-21 09:51:17 +08:00			`prefix = "mys3folder/"`

			`def _save(self, name, content):`
			`"""`
			`This method is important to test that Storage.save() doesn't replace`
			`'\' with '/' (rather FileSystemStorage.save() does).`
			`"""`
			`return name`

			`def get_valid_name(self, name):`
			`return name`

			`def get_available_name(self, name, max_length=None):`
			`return name`

			`def generate_filename(self, filename):`
			`"""`
			`This is the method that's important to override when using S3 so that`
			`os.path() isn't called, which would break S3 keys.`
			`"""`
			`return self.prefix + self.get_valid_name(filename)`


			`class GenerateFilenameStorageTests(SimpleTestCase):`
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-15 00:23:44 +08:00			`def test_storage_dangerous_paths(self):`
			`candidates = [`
			`("/tmp/..", ".."),`
			`("/tmp/.", "."),`
			`("", ""),`
			`]`
			`s = FileSystemStorage()`
			`msg = "Could not derive file name from '%s'"`
			`for file_name, base_name in candidates:`
			`with self.subTest(file_name=file_name):`
			`with self.assertRaisesMessage(SuspiciousFileOperation, msg % base_name):`
			`s.get_available_name(file_name)`
			`with self.assertRaisesMessage(SuspiciousFileOperation, msg % base_name):`
			`s.generate_filename(file_name)`

			`def test_storage_dangerous_paths_dir_name(self):`
Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. Thanks to Dennis Brinkrolf for the report. 2021-12-18 04:07:50 +08:00			`candidates = [`
			`("tmp/../path", "tmp/.."),`
			`("tmp\\..\\path", "tmp/.."),`
			`("/tmp/../path", "/tmp/.."),`
			`("\\tmp\\..\\path", "/tmp/.."),`
			`]`
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-15 00:23:44 +08:00			`s = FileSystemStorage()`
Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. Thanks to Dennis Brinkrolf for the report. 2021-12-18 04:07:50 +08:00			`for file_name, path in candidates:`
			`msg = "Detected path traversal attempt in '%s'" % path`
			`with self.subTest(file_name=file_name):`
			`with self.assertRaisesMessage(SuspiciousFileOperation, msg):`
			`s.get_available_name(file_name)`
			`with self.assertRaisesMessage(SuspiciousFileOperation, msg):`
			`s.generate_filename(file_name)`
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-15 00:23:44 +08:00
			`def test_filefield_dangerous_filename(self):`
Fixed #32718 -- Relaxed file name validation in FileField. - Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. 2021-05-13 14:53:44 +08:00			`candidates = [`
			`("..", "some/folder/.."),`
			`(".", "some/folder/."),`
			`("", "some/folder/"),`
			`("???", "???"),`
			`("$.$.$", "$.$.$"),`
			`]`
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-15 00:23:44 +08:00			`f = FileField(upload_to="some/folder/")`
Fixed #32718 -- Relaxed file name validation in FileField. - Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. 2021-05-13 14:53:44 +08:00			`for file_name, msg_file_name in candidates:`
			`msg = f"Could not derive file name from '{msg_file_name}'"`
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-15 00:23:44 +08:00			`with self.subTest(file_name=file_name):`
Fixed #32718 -- Relaxed file name validation in FileField. - Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. 2021-05-13 14:53:44 +08:00			`with self.assertRaisesMessage(SuspiciousFileOperation, msg):`
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-15 00:23:44 +08:00			`f.generate_filename(None, file_name)`

Fixed #32718 -- Relaxed file name validation in FileField. - Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. 2021-05-13 14:53:44 +08:00			`def test_filefield_dangerous_filename_dot_segments(self):`
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-15 00:23:44 +08:00			`f = FileField(upload_to="some/folder/")`
Fixed #32718 -- Relaxed file name validation in FileField. - Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. 2021-05-13 14:53:44 +08:00			`msg = "Detected path traversal attempt in 'some/folder/../path'"`
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-15 00:23:44 +08:00			`with self.assertRaisesMessage(SuspiciousFileOperation, msg):`
Fixed #32718 -- Relaxed file name validation in FileField. - Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. 2021-05-13 14:53:44 +08:00			`f.generate_filename(None, "../path")`

			`def test_filefield_generate_filename_absolute_path(self):`
			`f = FileField(upload_to="some/folder/")`
			`candidates = [`
			`"/tmp/path",`
			`"/tmp/../path",`
			`]`
			`for file_name in candidates:`
			`msg = f"Detected path traversal attempt in '{file_name}'"`
			`with self.subTest(file_name=file_name):`
			`with self.assertRaisesMessage(SuspiciousFileOperation, msg):`
			`f.generate_filename(None, file_name)`
Fixed #26058 -- Delegated os.path bits of FileField's filename generation to the Storage. 2016-03-21 09:51:17 +08:00
			`def test_filefield_generate_filename(self):`
			`f = FileField(upload_to="some/folder/")`
			`self.assertEqual(`
			`f.generate_filename(None, "test with space.txt"),`
			`os.path.normpath("some/folder/test_with_space.txt"),`
			`)`

			`def test_filefield_generate_filename_with_upload_to(self):`
			`def upload_to(instance, filename):`
			`return "some/folder/" + filename`

			`f = FileField(upload_to=upload_to)`
			`self.assertEqual(`
			`f.generate_filename(None, "test with space.txt"),`
			`os.path.normpath("some/folder/test_with_space.txt"),`
			`)`

Fixed #32718 -- Relaxed file name validation in FileField. - Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3. 2021-05-13 14:53:44 +08:00			`def test_filefield_generate_filename_upload_to_overrides_dangerous_filename(self):`
			`def upload_to(instance, filename):`
			`return "test.txt"`

			`f = FileField(upload_to=upload_to)`
			`candidates = [`
			`"/tmp/.",`
			`"/tmp/..",`
			`"/tmp/../path",`
			`"/tmp/path",`
			`"some/folder/",`
			`"some/folder/.",`
			`"some/folder/..",`
			`"some/folder/???",`
			`"some/folder/$.$.$",`
			`"some/../test.txt",`
			`"",`
			`]`
			`for file_name in candidates:`
			`with self.subTest(file_name=file_name):`
			`self.assertEqual(f.generate_filename(None, file_name), "test.txt")`

			`def test_filefield_generate_filename_upload_to_absolute_path(self):`
			`def upload_to(instance, filename):`
			`return "/tmp/" + filename`

			`f = FileField(upload_to=upload_to)`
			`candidates = [`
			`"path",`
			`"../path",`
			`"???",`
			`"$.$.$",`
			`]`
			`for file_name in candidates:`
			`msg = f"Detected path traversal attempt in '/tmp/{file_name}'"`
			`with self.subTest(file_name=file_name):`
			`with self.assertRaisesMessage(SuspiciousFileOperation, msg):`
			`f.generate_filename(None, file_name)`

			`def test_filefield_generate_filename_upload_to_dangerous_filename(self):`
			`def upload_to(instance, filename):`
			`return "/tmp/" + filename`

			`f = FileField(upload_to=upload_to)`
			`candidates = ["..", ".", ""]`
			`for file_name in candidates:`
			`msg = f"Could not derive file name from '/tmp/{file_name}'"`
			`with self.subTest(file_name=file_name):`
			`with self.assertRaisesMessage(SuspiciousFileOperation, msg):`
			`f.generate_filename(None, file_name)`

Fixed #26058 -- Delegated os.path bits of FileField's filename generation to the Storage. 2016-03-21 09:51:17 +08:00			`def test_filefield_awss3_storage(self):`
			`"""`
			`Simulate a FileField with an S3 storage which uses keys rather than`
			`folders and names. FileField and Storage shouldn't have any os.path()`
			`calls that break the key.`
			`"""`
			`storage = AWSS3Storage()`
			`folder = "not/a/folder/"`

			`f = FileField(upload_to=folder, storage=storage)`
			`key = "my-file-key\\with odd characters"`
			`data = ContentFile("test")`
			`expected_key = AWSS3Storage.prefix + folder + key`

			`# Simulate call to f.save()`
			`result_key = f.generate_filename(None, key)`
			`self.assertEqual(result_key, expected_key)`

			`result_key = storage.save(result_key, data)`
			`self.assertEqual(result_key, expected_key)`

			`# Repeat test with a callable.`
			`def upload_to(instance, filename):`
			`# Return a non-normalized path on purpose.`
			`return folder + filename`

			`f = FileField(upload_to=upload_to, storage=storage)`

			`# Simulate call to f.save()`
			`result_key = f.generate_filename(None, key)`
			`self.assertEqual(result_key, expected_key)`

			`result_key = storage.save(result_key, data)`
			`self.assertEqual(result_key, expected_key)`