mirror of
https://github.com/HKUDS/nanobot.git
synced 2026-05-20 00:22:31 +00:00
39 lines
1.2 KiB
Python
39 lines
1.2 KiB
Python
from pathlib import Path
|
|
from types import SimpleNamespace
|
|
|
|
import pytest
|
|
|
|
from nanobot.channels import feishu as feishu_module
|
|
from nanobot.channels.feishu import FeishuChannel
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_feishu_downloaded_media_filename_cannot_escape_media_dir(monkeypatch, tmp_path):
|
|
media_dir = tmp_path / "media"
|
|
media_dir.mkdir()
|
|
outside = tmp_path / "escaped.txt"
|
|
|
|
monkeypatch.setattr(feishu_module, "get_media_dir", lambda _channel: media_dir)
|
|
|
|
channel = FeishuChannel.__new__(FeishuChannel)
|
|
channel.logger = SimpleNamespace(
|
|
debug=lambda *args, **kwargs: None,
|
|
warning=lambda *args, **kwargs: None,
|
|
)
|
|
|
|
def fake_download(_message_id, _file_key, _resource_type):
|
|
return b"owned", "../escaped.txt"
|
|
|
|
channel._download_file_sync = fake_download
|
|
|
|
path_str, content = await channel._download_and_save_media(
|
|
"file", {"file_key": "fk_123"}, "msg_123"
|
|
)
|
|
|
|
saved_path = Path(path_str)
|
|
assert not outside.exists()
|
|
assert saved_path.parent == media_dir
|
|
assert saved_path.name == "escaped.txt"
|
|
assert saved_path.read_bytes() == b"owned"
|
|
assert content == f"[file: {saved_path}]"
|