2026-05-13 15:07:23 +08:00
|
|
|
#
|
|
|
|
|
# Copyright 2026 The InfiniFlow Authors. All Rights Reserved.
|
|
|
|
|
#
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
|
#
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
#
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
|
# limitations under the License.
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
import pytest
|
2026-05-28 11:03:12 +08:00
|
|
|
from test.testcases.configs import INVALID_API_TOKEN
|
2026-07-13 16:41:38 +08:00
|
|
|
from test.testcases.restful_api.helpers.assertions import assert_auth_error
|
2026-05-28 11:03:12 +08:00
|
|
|
from test.testcases.restful_api.helpers.client import RestClient
|
2026-05-13 15:07:23 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.p2
|
2026-06-03 19:58:06 +08:00
|
|
|
def test_document_image_invalid_id_contract(rest_client):
|
|
|
|
|
res = rest_client.get("/documents/images/not-a-valid-image-id")
|
2026-05-13 15:07:23 +08:00
|
|
|
assert res.status_code == 200
|
|
|
|
|
payload = res.json()
|
|
|
|
|
assert payload["code"] == 102, payload
|
|
|
|
|
assert payload["message"] == "Image not found.", payload
|
|
|
|
|
|
|
|
|
|
|
2026-05-28 11:03:12 +08:00
|
|
|
@pytest.mark.p2
|
|
|
|
|
def test_document_download_by_id_requires_auth(create_document):
|
|
|
|
|
_dataset_id, document_id = create_document("document_raw_download_auth.txt")
|
|
|
|
|
for scenario_name, client in (("missing token", RestClient(token=None)), ("invalid token", RestClient(token=INVALID_API_TOKEN))):
|
|
|
|
|
res = client.get(f"/documents/{document_id}")
|
|
|
|
|
assert res.status_code == 401, (scenario_name, res.text)
|
|
|
|
|
payload = res.json()
|
2026-07-13 16:41:38 +08:00
|
|
|
assert_auth_error(payload, scenario_name)
|
2026-05-28 11:03:12 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.p2
|
|
|
|
|
def test_document_download_by_id_invalid_id_contract(rest_client):
|
|
|
|
|
res = rest_client.get("/documents/invalid_document_id")
|
|
|
|
|
assert res.status_code == 200
|
|
|
|
|
payload = res.json()
|
|
|
|
|
assert payload["code"] == 102, payload
|
Harden closed-advisory fixes (#16409)
## Summary
- harden reopened advisory fixes across REST connector, invoke, document
downloads, and markdown rendering
- add targeted regression coverage for redirect-safe SSRF handling,
invoke SSRF checks, document access control, and markdown sanitization
- verify each referenced GHSA against the original GitHub advisory text
and align the closed-advisory plan with the implemented remediation
## What changed
- add tenant access checks to document download endpoints to avoid
cross-tenant document disclosure
- add per-hop SSRF validation, DNS pinning, redirect handling, and
redirect limits to the REST API connector
- ensure invoke requests validate and pin the resolved host and never
follow redirects implicitly
- keep the generic rate-limited request path wrapped, not just GET and
POST helpers
- sanitize markdown HTML before rendering in the highlight markdown
component
## Validation
- `cd web && npm test -- --runInBand
src/components/highlight-markdown/__tests__/index.test.tsx`
- `.venv/bin/python -m pytest -q
test/unit_test/data_source/test_rest_api_connector.py`
- targeted `test/testcases/test_web_api/...` unit additions were
reviewed, but the suite cannot be executed end-to-end in this
environment because parent `test/testcases/conftest.py` requires a local
service on `127.0.0.1:9380`
## Notes
- all GHSA entries referenced by the plan were checked against the
original GitHub advisory text, not sampled
- the closed-advisory plan document was updated locally during review,
but is intentionally not included in this PR
2026-06-28 11:17:54 +08:00
|
|
|
assert payload["message"] == "Document not found!", payload
|
2026-05-28 11:03:12 +08:00
|
|
|
|
|
|
|
|
|
2026-05-13 15:07:23 +08:00
|
|
|
@pytest.mark.p2
|
|
|
|
|
def test_document_artifact_requires_auth(rest_client_noauth):
|
|
|
|
|
res = rest_client_noauth.get("/documents/artifact/not-an-artifact.txt")
|
|
|
|
|
assert res.status_code == 401
|
|
|
|
|
payload = res.json()
|
|
|
|
|
assert payload["code"] == 401, payload
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.p2
|
|
|
|
|
def test_document_artifact_rejects_unsafe_filename(rest_client):
|
|
|
|
|
res = rest_client.get("/documents/artifact/not-an-artifact.exe")
|
|
|
|
|
assert res.status_code == 200
|
|
|
|
|
payload = res.json()
|
|
|
|
|
assert payload["code"] == 102, payload
|
|
|
|
|
assert payload["message"] == "Invalid file type.", payload
|