Add test cases for path checks

packaging/docker/sidecar.py

@@ -552,35 +552,44 @@ class SidecarHandler(BaseHTTPRequestHandler):
         return json.dumps(self.config.substitutions)
 
     def check_hash(self, filename):
-        self.is_path_allowed(filename)
-        try:
-            with open(os.path.join(self.config.output_dir, filename), "rb") as contents:
-                m = hashlib.sha256()
-                m.update(contents.read())
-                return m.hexdigest()
-        except FileNotFoundError:
-            raise RequestException(
-                f"{filename} not found",
-                404,
-            )
+        return check_hash(self.config.output_dir, filename)
 
     def is_present(self, filename):
-        self.is_path_allowed(filename)
-        if os.path.exists(os.path.join(self.config.output_dir, filename)):
-            return True
+        return is_present(self.config.output_dir, filename)
+
+
+def is_path_allowed(output_dir, filename):
+    safe_base = os.path.abspath(output_dir)
+    requested_path = os.path.abspath(os.path.join(safe_base, filename))
+    if not requested_path.startswith(safe_base):
+        raise RequestException(
+            f"path {requested_path} is outside of the allowed directory {safe_base} and therefore denied",
+            403,
+        )
+
+
+def check_hash(output_dir, filename):
+    is_path_allowed(output_dir, filename)
+    try:
+        with open(os.path.join(output_dir, filename), "rb") as contents:
+            m = hashlib.sha256()
+            m.update(contents.read())
+            return m.hexdigest()
+    except FileNotFoundError:
         raise RequestException(
             f"{filename} not found",
             404,
         )
 
-    def is_path_allowed(self, filename):
-        safe_base = os.path.abspath(self.config.output_dir)
-        requested_path = os.path.abspath(os.path.join(safe_base, filename))
-        if not requested_path.startswith(safe_base):
-            raise RequestException(
-                f"path {requested_path} is outside of the allowed directory {safe_base} and therefore denied",
-                403,
-            )
+
+def is_present(output_dir, filename):
+    is_path_allowed(output_dir, filename)
+    if os.path.exists(os.path.join(output_dir, filename)):
+        return True
+    raise RequestException(
+        f"{filename} not found",
+        404,
+    )
 
 
 class CertificateEventHandler(FileSystemEventHandler):

packaging/docker/sidecar_test.py

@@ -31,7 +31,7 @@ from unittest.mock import MagicMock
 
 import requests
 
-from sidecar import SidecarHandler
+from sidecar import SidecarHandler, RequestException, check_hash, is_present
 
 
 # This test suite starts a real server with a mocked configuration and will do some requests against it.
@@ -106,6 +106,13 @@ class TestSidecar(unittest.TestCase):
             r.text, "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
         )
 
+    def test_get_check_hash_outside(self):
+        with open(os.path.join(self.mock_config.output_dir, "foobar"), "w") as f:
+            f.write("hello world")
+
+        with self.assertRaises(RequestException):
+            check_hash(self.mock_config.output_dir, "../foobar")
+
     def test_get_is_present_no_found(self):
         r = requests.get(f"{self.server_url}/is_present/foobar")
         self.assertEqual(r.status_code, 404)
@@ -127,6 +134,13 @@ class TestSidecar(unittest.TestCase):
         self.assertEqual(r.status_code, 200)
         self.assertEqual(r.text, "OK\n")
 
+    def test_get_check_is_present(self):
+        with open(os.path.join(self.mock_config.output_dir, "foobar"), "w") as f:
+            f.write("hello world")
+
+        with self.assertRaises(RequestException):
+            is_present(self.mock_config.output_dir, "../foobar")
+
     def test_get_not_found(self):
         r = requests.get(f"{self.server_url}/foobar")
         self.assertEqual(r.status_code, 404)