From 70dd70a4d4d39ca2715a83370c6305896ee04a30 Mon Sep 17 00:00:00 2001
From: Tom Christie <tom@tomchristie.com>
Date: Thu, 12 Jul 2018 16:29:54 +0100
Subject: [PATCH] Test for StaticFiles directory breakout protection

---
 tests/test_staticfiles.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/tests/test_staticfiles.py b/tests/test_staticfiles.py
index dbced70b..7d4a2f24 100644
--- a/tests/test_staticfiles.py
+++ b/tests/test_staticfiles.py
@@ -122,3 +122,18 @@ def test_staticfiles_config_check_occurs_only_once(tmpdir):
     assert app.config_checked
     response = client.get("/")
     assert app.config_checked
+
+
+def test_staticfiles_prevents_breaking_out_of_directory(tmpdir):
+    directory = os.path.join(tmpdir, 'foo')
+    os.mkdir(directory)
+
+    path = os.path.join(tmpdir, "example.txt")
+    with open(path, "w") as file:
+        file.write("outside root dir")
+
+    app = StaticFiles(directory=directory)
+    # We can't test this with 'requests', so we call the app directly here.
+    response = app({'method': 'GET', 'path': '/../example.txt'})
+    assert response.status_code == 404
+    assert response.body == b"Not found"