Pillow/Tests/test_shell_injection.py

import shutil

from PIL import GifImagePlugin, Image, JpegImagePlugin

from .helper import (
    PillowTestCase,
    cjpeg_available,
    djpeg_available,
    is_win32,
    netpbm_available,
    unittest,
)

TEST_JPG = "Tests/images/hopper.jpg"
TEST_GIF = "Tests/images/hopper.gif"

test_filenames = ("temp_';", 'temp_";', "temp_'\"|", "temp_'\"||", "temp_'\"&&")


@unittest.skipIf(is_win32(), "requires Unix or macOS")
class TestShellInjection(PillowTestCase):
    def assert_save_filename_check(self, src_img, save_func):
        for filename in test_filenames:
            dest_file = self.tempfile(filename)
            save_func(src_img, 0, dest_file)
            # If file can't be opened, shell injection probably occurred
            Image.open(dest_file).load()

    @unittest.skipUnless(djpeg_available(), "djpeg not available")
    def test_load_djpeg_filename(self):
        for filename in test_filenames:
            src_file = self.tempfile(filename)
            shutil.copy(TEST_JPG, src_file)

            im = Image.open(src_file)
            im.load_djpeg()

    @unittest.skipUnless(cjpeg_available(), "cjpeg not available")
    def test_save_cjpeg_filename(self):
        im = Image.open(TEST_JPG)
        self.assert_save_filename_check(im, JpegImagePlugin._save_cjpeg)

    @unittest.skipUnless(netpbm_available(), "netpbm not available")
    def test_save_netpbm_filename_bmp_mode(self):
        im = Image.open(TEST_GIF).convert("RGB")
        self.assert_save_filename_check(im, GifImagePlugin._save_netpbm)

    @unittest.skipUnless(netpbm_available(), "netpbm not available")
    def test_save_netpbm_filename_l_mode(self):
        im = Image.open(TEST_GIF).convert("L")
        self.assert_save_filename_check(im, GifImagePlugin._save_netpbm)
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00			`import shutil`
Introduce isort to automate import ordering and formatting Similar to the recent adoption of Black. isort is a Python utility to sort imports alphabetically and automatically separate into sections. By using isort, contributors can quickly and automatically conform to the projects style without thinking. Just let the tool do it. Uses the configuration recommended by the Black to avoid conflicts of style. Rewrite TestImageQt.test_deprecated to no rely on import order. 2019-07-06 23:40:53 +03:00
			`from PIL import GifImagePlugin, Image, JpegImagePlugin`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00
Introduce isort to automate import ordering and formatting Similar to the recent adoption of Black. isort is a Python utility to sort imports alphabetically and automatically separate into sections. By using isort, contributors can quickly and automatically conform to the projects style without thinking. Just let the tool do it. Uses the configuration recommended by the Black to avoid conflicts of style. Rewrite TestImageQt.test_deprecated to no rely on import order. 2019-07-06 23:40:53 +03:00			`from .helper import (`
			`PillowTestCase,`
			`cjpeg_available,`
			`djpeg_available,`
Tests.helper cleanup 2019-09-25 12:46:54 +03:00			`is_win32,`
Introduce isort to automate import ordering and formatting Similar to the recent adoption of Black. isort is a Python utility to sort imports alphabetically and automatically separate into sections. By using isort, contributors can quickly and automatically conform to the projects style without thinking. Just let the tool do it. Uses the configuration recommended by the Black to avoid conflicts of style. Rewrite TestImageQt.test_deprecated to no rely on import order. 2019-07-06 23:40:53 +03:00			`netpbm_available,`
			`unittest,`
			`)`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00
Replace lena.gif with hopper.gif 2014-09-04 09:44:46 +04:00			`TEST_JPG = "Tests/images/hopper.jpg"`
			`TEST_GIF = "Tests/images/hopper.gif"`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00
Format with Black 2019-06-13 18:54:46 +03:00			`test_filenames = ("temp_';", 'temp_";', "temp_'\"\|", "temp_'\"\|\|", "temp_'\"&&")`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00
flake8 2014-08-28 15:44:19 +04:00
Tests.helper cleanup 2019-09-25 12:46:54 +03:00			`@unittest.skipIf(is_win32(), "requires Unix or macOS")`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00			`class TestShellInjection(PillowTestCase):`
			`def assert_save_filename_check(self, src_img, save_func):`
			`for filename in test_filenames:`
			`dest_file = self.tempfile(filename)`
			`save_func(src_img, 0, dest_file)`
			`# If file can't be opened, shell injection probably occurred`
			`Image.open(dest_file).load()`

Skip tests if external commands aren't found 2014-06-28 02:12:37 +04:00			`@unittest.skipUnless(djpeg_available(), "djpeg not available")`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00			`def test_load_djpeg_filename(self):`
			`for filename in test_filenames:`
			`src_file = self.tempfile(filename)`
Replace lena.gif with hopper.gif 2014-09-04 09:44:46 +04:00			`shutil.copy(TEST_JPG, src_file)`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00
			`im = Image.open(src_file)`
			`im.load_djpeg()`

Skip tests if external commands aren't found 2014-06-28 02:12:37 +04:00			`@unittest.skipUnless(cjpeg_available(), "cjpeg not available")`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00			`def test_save_cjpeg_filename(self):`
Replace lena.gif with hopper.gif 2014-09-04 09:44:46 +04:00			`im = Image.open(TEST_JPG)`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00			`self.assert_save_filename_check(im, JpegImagePlugin._save_cjpeg)`

Skip tests if external commands aren't found 2014-06-28 02:12:37 +04:00			`@unittest.skipUnless(netpbm_available(), "netpbm not available")`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00			`def test_save_netpbm_filename_bmp_mode(self):`
Replace lena.gif with hopper.gif 2014-09-04 09:44:46 +04:00			`im = Image.open(TEST_GIF).convert("RGB")`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00			`self.assert_save_filename_check(im, GifImagePlugin._save_netpbm)`

Skip tests if external commands aren't found 2014-06-28 02:12:37 +04:00			`@unittest.skipUnless(netpbm_available(), "netpbm not available")`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00			`def test_save_netpbm_filename_l_mode(self):`
Replace lena.gif with hopper.gif 2014-09-04 09:44:46 +04:00			`im = Image.open(TEST_GIF).convert("L")`
Tests for _save_netpbm, _save_cjpeg and load_djpeg 2014-06-27 07:37:49 +04:00			`self.assert_save_filename_check(im, GifImagePlugin._save_netpbm)`