Merge branch 'master' into fix-file-access

Tweak test file
Fixing file:// file pickup
2025-11-10 03:27:14 +00:00 · 2024-07-18 11:03:58 +02:00 · 2024-07-18 10:59:32 +02:00 · 2024-07-18 09:41:21 +02:00
4 changed files with 44 additions and 11 deletions
--- a/changedetectionio/content_fetchers/requests.py
+++ b/changedetectionio/content_fetchers/requests.py
@@ -4,6 +4,7 @@ import os
 import chardet
 import requests
 from changedetectionio import strtobool
 from changedetectionio.content_fetchers.exceptions import BrowserStepsInUnsupportedFetcher, EmptyReply, Non200ErrorCodeReceived
 from changedetectionio.content_fetchers.base import Fetcher
@@ -45,7 +46,13 @@ class fetcher(Fetcher):
            if self.system_https_proxy:
                proxies['https'] = self.system_https_proxy
-        r = requests.request(method=request_method,
+        session = requests.Session()
        if strtobool(os.getenv('ALLOW_FILE_URI', 'false')) and url.startswith('file://'):
            from requests_file import FileAdapter
            session.mount('file://', FileAdapter())
        r = session.request(method=request_method,
                            data=request_body,
                            url=url,
                            headers=request_headers,
--- a/changedetectionio/run_basic_tests.sh
+++ b/changedetectionio/run_basic_tests.sh
@@ -36,3 +36,7 @@ pytest tests/test_notification.py
 pytest tests/test_backend.py
 pytest tests/test_rss.py
 pytest tests/test_unique_lines.py
 # Check file:// will pickup a file when enabled
 echo "Hello world" > /tmp/test-file.txt
 ALLOW_FILE_URI=yes pytest tests/test_security.py
--- a/changedetectionio/tests/test_security.py
+++ b/changedetectionio/tests/test_security.py
@@ -1,7 +1,12 @@
 import os
 from flask import url_for
 from .util import set_original_response, set_modified_response, live_server_setup, wait_for_all_checks
 import time
 from .. import strtobool
 def test_setup(client, live_server, measure_memory_usage):
    live_server_setup(live_server)
@@ -55,16 +60,32 @@ def test_bad_access(client, live_server, measure_memory_usage):
    assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
    # file:// is permitted by default, but it will be caught by ALLOW_FILE_URI
 def test_file_access(client, live_server, measure_memory_usage):
    #live_server_setup(live_server)
    test_file_path = "/tmp/test-file.txt"
    # file:// is permitted by default, but it will be caught by ALLOW_FILE_URI
    client.post(
        url_for("form_quick_watch_add"),
-        data={"url": 'file:///tasty/disk/drive', "tags": ''},
+        data={"url": f"file://{test_file_path}", "tags": ''},
        follow_redirects=True
    )
    wait_for_all_checks(client)
    res = client.get(url_for("index"))
    # If it is enabled at test time
    if strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
        res = client.get(
            url_for("preview_page", uuid="first"),
            follow_redirects=True
        )
        # Should see something (this file added by run_basic_tests.sh)
        assert b"Hello world" in res.data
    else:
        # Default should be here
        assert b'file:// type access is denied for security reasons.' in res.data
 def test_xss(client, live_server, measure_memory_usage):
--- a/requirements.txt
+++ b/requirements.txt
@@ -22,6 +22,7 @@ validators~=0.21
 # >= 2.26 also adds Brotli support if brotli is installed
 brotli~=1.0
 requests[socks]
 requests-file
 urllib3==1.26.19
 chardet>2.3.0
Author	SHA1	Message	Date
dgtlmoon	ff49d6d4c5	Merge branch 'master' into fix-file-access	2024-07-18 11:03:58 +02:00
dgtlmoon	d0ecee7794	Tweak test file	2024-07-18 10:59:32 +02:00
dgtlmoon	d55f4727a2	Fixing file:// file pickup	2024-07-18 09:41:21 +02:00