xinyin025/LangBot
1
0
Fork 0
mirror of https://github.com/langbot-app/LangBot.git synced 2026-06-19 03:54:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(rag): reject unsafe runtime file paths

Browse Source
This commit is contained in:
huanghuoguoguo
2026-05-16 10:53:57 +08:00
parent b251fc4b89
commit 14330741cc
2 changed files with 85 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/unit_tests/rag/test_runtime_service.py
+68
View File
@@ -0,0 +1,68 @@
from __future__ import annotations
from types import SimpleNamespace
import pytest
from langbot.pkg.rag.service.runtime import RAGRuntimeService
class DummyStorageProvider:
def __init__(self, content: bytes | None = b'data'):
self.content = content
self.loaded_paths: list[str] = []
async def load(self, path: str):
self.loaded_paths.append(path)
return self.content
def make_service(storage_provider: DummyStorageProvider) -> RAGRuntimeService:
return RAGRuntimeService(SimpleNamespace(storage_mgr=SimpleNamespace(storage_provider=storage_provider)))
@pytest.mark.asyncio
async def test_get_file_stream_normalizes_safe_path():
storage_provider = DummyStorageProvider()
service = make_service(storage_provider)
content = await service.get_file_stream('safe/./nested/file.pdf')
assert content == b'data'
assert storage_provider.loaded_paths == ['safe/nested/file.pdf']
@pytest.mark.asyncio
@pytest.mark.parametrize(
'storage_path',
[
'',
'../secret.txt',
'/absolute/path.txt',
'..\\secret.txt',
'nested\\..\\secret.txt',
'%2e%2e/secret.txt',
'nested/%2e%2e/secret.txt',
'C:\\secret.txt',
'safe/\x00file.txt',
],
)
async def test_get_file_stream_rejects_unsafe_paths(storage_path: str):
storage_provider = DummyStorageProvider()
service = make_service(storage_provider)
with pytest.raises(ValueError, match='Invalid storage path'):
await service.get_file_stream(storage_path)
assert storage_provider.loaded_paths == []
@pytest.mark.asyncio
async def test_get_file_stream_returns_empty_bytes_for_missing_content():
storage_provider = DummyStorageProvider(content=None)
service = make_service(storage_provider)
content = await service.get_file_stream('safe/file.pdf')
assert content == b''
assert storage_provider.loaded_paths == ['safe/file.pdf']