pip/tests/unit/test_operations_prepare.py

import os
import shutil
from pathlib import Path
from shutil import rmtree
from tempfile import mkdtemp
from typing import Any, Dict
from unittest.mock import Mock, patch

import pytest

from pip._internal.exceptions import HashMismatch
from pip._internal.models.link import Link
from pip._internal.network.download import Downloader
from pip._internal.network.session import PipSession
from pip._internal.operations.prepare import unpack_url
from pip._internal.utils.hashes import Hashes
from tests.lib import TestData
from tests.lib.requests_mocks import MockResponse


def test_unpack_url_with_urllib_response_without_content_type(data: TestData) -> None:
    """
    It should download and unpack files even if no Content-Type header exists
    """
    _real_session = PipSession()

    def _fake_session_get(*args: Any, **kwargs: Any) -> Dict[str, str]:
        resp = _real_session.get(*args, **kwargs)
        del resp.headers["Content-Type"]
        return resp

    session = Mock()
    session.get = _fake_session_get
    download = Downloader(session, progress_bar="on")

    uri = data.packages.joinpath("simple-1.0.tar.gz").as_uri()
    link = Link(uri)
    temp_dir = mkdtemp()
    try:
        unpack_url(
            link,
            temp_dir,
            download=download,
            download_dir=None,
            verbosity=0,
        )
        assert set(os.listdir(temp_dir)) == {
            "PKG-INFO",
            "setup.cfg",
            "setup.py",
            "simple",
            "simple.egg-info",
        }
    finally:
        rmtree(temp_dir)


@patch("pip._internal.network.download.raise_for_status")
def test_download_http_url__no_directory_traversal(
    mock_raise_for_status: Mock, tmpdir: Path
) -> None:
    """
    Test that directory traversal doesn't happen on download when the
    Content-Disposition header contains a filename with a ".." path part.
    """
    mock_url = "http://www.example.com/whatever.tgz"
    contents = b"downloaded"
    link = Link(mock_url)

    session = Mock()
    resp = MockResponse(contents)
    resp.url = mock_url
    resp.headers = {
        # Set the content-type to a random value to prevent
        # mimetypes.guess_extension from guessing the extension.
        "content-type": "random",
        "content-disposition": 'attachment;filename="../out_dir_file"',
    }
    session.get.return_value = resp
    download = Downloader(session, progress_bar="on")

    download_dir = os.fspath(tmpdir.joinpath("download"))
    os.mkdir(download_dir)
    file_path, content_type = download(link, download_dir)
    # The file should be downloaded to download_dir.
    actual = os.listdir(download_dir)
    assert actual == ["out_dir_file"]
    mock_raise_for_status.assert_called_once_with(resp)


@pytest.fixture
def clean_project(tmpdir_factory: pytest.TempPathFactory, data: TestData) -> Path:
    tmpdir = tmpdir_factory.mktemp("clean_project")
    new_project_dir = tmpdir.joinpath("FSPkg")
    path = data.packages.joinpath("FSPkg")
    shutil.copytree(path, new_project_dir)
    return new_project_dir


class Test_unpack_url:
    def prep(self, tmpdir: Path, data: TestData) -> None:
        self.build_dir = os.fspath(tmpdir.joinpath("build"))
        self.download_dir = tmpdir.joinpath("download")
        os.mkdir(self.build_dir)
        os.mkdir(self.download_dir)
        self.dist_file = "simple-1.0.tar.gz"
        self.dist_file2 = "simple-2.0.tar.gz"
        self.dist_path = data.packages.joinpath(self.dist_file)
        self.dist_path2 = data.packages.joinpath(self.dist_file2)
        self.dist_url = Link(self.dist_path.as_uri())
        self.dist_url2 = Link(self.dist_path2.as_uri())
        self.no_download = Mock(side_effect=AssertionError)

    def test_unpack_url_no_download(self, tmpdir: Path, data: TestData) -> None:
        self.prep(tmpdir, data)
        unpack_url(self.dist_url, self.build_dir, self.no_download, verbosity=0)
        assert os.path.isdir(os.path.join(self.build_dir, "simple"))
        assert not os.path.isfile(os.path.join(self.download_dir, self.dist_file))

    def test_unpack_url_bad_hash(self, tmpdir: Path, data: TestData) -> None:
        """
        Test when the file url hash fragment is wrong
        """
        self.prep(tmpdir, data)
        url = f"{self.dist_url.url}#md5=bogus"
        dist_url = Link(url)
        with pytest.raises(HashMismatch):
            unpack_url(
                dist_url,
                self.build_dir,
                download=self.no_download,
                hashes=Hashes({"md5": ["bogus"]}),
                verbosity=0,
            )
more functional/unit tests restructure 2013-05-28 23:58:08 +02:00			`import os`
Ignore errors copying socket files for source installs (in Python 3). (#6844) 2019-08-21 11:19:02 +02:00			`import shutil`
Migrate tests to use pathlib.Path The pip-specific Path implementation has been removed, and all its usages replaced by pathlib.Path. The tmpdir and tmpdir_factory fixtures are also removed, and all usages are replaced by tmp_path and tmp_path_factory, which use pathlib.Path. The pip() function now also accepts pathlib.Path so we don't need to put str() everywhere. Path arguments are coerced with os.fspath() into str. 2022-06-07 11:52:38 +02:00			`from pathlib import Path`
Make unpack_file_url existing bad file test functional Reduces coupling between tests and code. 2019-12-14 01:53:40 +01:00			`from shutil import rmtree`
more functional/unit tests restructure 2013-05-28 23:58:08 +02:00			`from tempfile import mkdtemp`
Complete type annotations of tests/unit/ directory 2021-08-30 00:43:28 +02:00			`from typing import Any, Dict`
Lint 2021-02-10 11:38:21 +01:00			`from unittest.mock import Mock, patch`
more functional/unit tests restructure 2013-05-28 23:58:08 +02:00
Sort imports and minor Flake8 changes (#4520) * Run isort on the codebase Command: isort --recursive --skip __main__.py --skip _vendor -o pip._vendor -sd THIRDPARTY -m 5 -p pip -p tests ./pip ./tests * :newspaper: 2017-06-13 14:17:00 +02:00			`import pytest`
Move from pip.compat.* to six.moves.* for urllib related stuff 2014-09-12 00:40:45 +02:00
Move remaining functions in download to operations.prepare The only user of this module is operations.prepare.RequirementPreparer. Moving the functionality to the single using module means that refactoring will be easier (since all the mess is in one place). This also removes a mis-named module from the top-level of the repository. 2019-10-14 00:44:23 +02:00			`from pip._internal.exceptions import HashMismatch`
			`from pip._internal.models.link import Link`
Construct Downloader outside RequirementPreparer Reduces RequirementPreparer responsibilities, and will let us get rid of some constructor arguments. 2019-12-06 02:26:53 +01:00			`from pip._internal.network.download import Downloader`
Move remaining functions in download to operations.prepare The only user of this module is operations.prepare.RequirementPreparer. Moving the functionality to the single using module means that refactoring will be easier (since all the mess is in one place). This also removes a mis-named module from the top-level of the repository. 2019-10-14 00:44:23 +02:00			`from pip._internal.network.session import PipSession`
Drop out-of-tree/in-tree build transition flags These were intended to help users transition when the default behaviour changed to no longer perform out-of-tree builds. The transition is now considered complete. 2022-04-01 13:37:51 +02:00			`from pip._internal.operations.prepare import unpack_url`
Move all internal APIs to pip._internal 2017-08-31 17:48:18 +02:00			`from pip._internal.utils.hashes import Hashes`
Complete type annotations of tests/unit/ directory 2021-08-30 00:43:28 +02:00			`from tests.lib import TestData`
Move helper mock classes to dedicated module When we factor out tests these will be needed in both sets, and it's easier to refactor tests later if we avoid creating a dependency between test files. 2019-11-29 17:03:48 +01:00			`from tests.lib.requests_mocks import MockResponse`
more functional/unit tests restructure 2013-05-28 23:58:08 +02:00

Complete type annotations of tests/unit/ directory 2021-08-30 00:43:28 +02:00			`def test_unpack_url_with_urllib_response_without_content_type(data: TestData) -> None:`
more functional/unit tests restructure 2013-05-28 23:58:08 +02:00			`"""`
			`It should download and unpack files even if no Content-Type header exists`
			`"""`
Use requests instead of urllib2 2013-08-16 14:04:27 +02:00			`_real_session = PipSession()`

Complete type annotations of tests/unit/ directory 2021-08-30 00:43:28 +02:00			`def _fake_session_get(args: Any, *kwargs: Any) -> Dict[str, str]:`
Use requests instead of urllib2 2013-08-16 14:04:27 +02:00			`resp = _real_session.get(args, *kwargs)`
			`del resp.headers["Content-Type"]`
more functional/unit tests restructure 2013-05-28 23:58:08 +02:00			`return resp`

Use requests instead of urllib2 2013-08-16 14:04:27 +02:00			`session = Mock()`
			`session.get = _fake_session_get`
Give batch downloader a separate class 2020-08-11 17:56:37 +02:00			`download = Downloader(session, progress_bar="on")`
Use requests instead of urllib2 2013-08-16 14:04:27 +02:00
Migrate tests to use pathlib.Path The pip-specific Path implementation has been removed, and all its usages replaced by pathlib.Path. The tmpdir and tmpdir_factory fixtures are also removed, and all usages are replaced by tmp_path and tmp_path_factory, which use pathlib.Path. The pip() function now also accepts pathlib.Path so we don't need to put str() everywhere. Path arguments are coerced with os.fspath() into str. 2022-06-07 11:52:38 +02:00			`uri = data.packages.joinpath("simple-1.0.tar.gz").as_uri()`
Use requests instead of urllib2 2013-08-16 14:04:27 +02:00			`link = Link(uri)`
			`temp_dir = mkdtemp()`
			`try:`
Do not test unpack_http_url or unpack_file_url The tests for unpack_{file,http}_url relies on these functions to both retrieve and unpack. We want to move unpacking out, so call unpack_url instead. 2020-02-05 03:25:30 +01:00			`unpack_url(`
Use Flake8 on the test of pip's Python files 2014-01-28 15:17:51 +01:00			`link,`
			`temp_dir,`
Give batch downloader a separate class 2020-08-11 17:56:37 +02:00			`download=download,`
Make session a required parameter in operations.prepare 2019-11-12 04:34:52 +01:00			`download_dir=None,`
Change VCS tooling verbosity along with pip's verbosity (#9639) Co-authored-by: Tzu-ping Chung <uranusjr@gmail.com> Co-authored-by: Pradyun Gedam <pradyunsg@users.noreply.github.com> 2022-01-25 09:54:02 +01:00			`verbosity=0,`
Use requests instead of urllib2 2013-08-16 14:04:27 +02:00			`)`
Upgrade syntax in ./tests Changes were automated via https://github.com/asottile/pyupgrade See #4921 2017-12-15 06:56:04 +01:00			`assert set(os.listdir(temp_dir)) == {`
Reformat the codebase, with black 2021-08-13 15:23:45 +02:00			`"PKG-INFO",`
			`"setup.cfg",`
			`"setup.py",`
			`"simple",`
			`"simple.egg-info",`
Upgrade syntax in ./tests Changes were automated via https://github.com/asottile/pyupgrade See #4921 2017-12-15 06:56:04 +01:00			`}`
Use requests instead of urllib2 2013-08-16 14:04:27 +02:00			`finally:`
			`rmtree(temp_dir)`
more functional/unit tests restructure 2013-05-28 23:58:08 +02:00

feat(pip/_internal/*): Use custom raise_for_status method 2020-05-03 18:48:24 +02:00			`@patch("pip._internal.network.download.raise_for_status")`
Complete type annotations of tests/unit/ directory 2021-08-30 00:43:28 +02:00			`def test_download_http_url__no_directory_traversal(`
			`mock_raise_for_status: Mock, tmpdir: Path`
			`) -> None:`
FIX #6413 pip install <url> allow directory traversal 2019-04-17 15:25:45 +02:00			`"""`
			`Test that directory traversal doesn't happen on download when the`
			`Content-Disposition header contains a filename with a ".." path part.`
			`"""`
Reformat the codebase, with black 2021-08-13 15:23:45 +02:00			`mock_url = "http://www.example.com/whatever.tgz"`
			`contents = b"downloaded"`
FIX #6413 pip install <url> allow directory traversal 2019-04-17 15:25:45 +02:00			`link = Link(mock_url)`

			`session = Mock()`
			`resp = MockResponse(contents)`
			`resp.url = mock_url`
			`resp.headers = {`
			`# Set the content-type to a random value to prevent`
			`# mimetypes.guess_extension from guessing the extension.`
Reformat the codebase, with black 2021-08-13 15:23:45 +02:00			`"content-type": "random",`
			`"content-disposition": 'attachment;filename="../out_dir_file"',`
FIX #6413 pip install <url> allow directory traversal 2019-04-17 15:25:45 +02:00			`}`
			`session.get.return_value = resp`
Give batch downloader a separate class 2020-08-11 17:56:37 +02:00			`download = Downloader(session, progress_bar="on")`
FIX #6413 pip install <url> allow directory traversal 2019-04-17 15:25:45 +02:00
Migrate tests to use pathlib.Path The pip-specific Path implementation has been removed, and all its usages replaced by pathlib.Path. The tmpdir and tmpdir_factory fixtures are also removed, and all usages are replaced by tmp_path and tmp_path_factory, which use pathlib.Path. The pip() function now also accepts pathlib.Path so we don't need to put str() everywhere. Path arguments are coerced with os.fspath() into str. 2022-06-07 11:52:38 +02:00			`download_dir = os.fspath(tmpdir.joinpath("download"))`
FIX #6413 pip install <url> allow directory traversal 2019-04-17 15:25:45 +02:00			`os.mkdir(download_dir)`
Give batch downloader a separate class 2020-08-11 17:56:37 +02:00			`file_path, content_type = download(link, download_dir)`
FIX #6413 pip install <url> allow directory traversal 2019-04-17 15:25:45 +02:00			`# The file should be downloaded to download_dir.`
			`actual = os.listdir(download_dir)`
Reformat the codebase, with black 2021-08-13 15:23:45 +02:00			`assert actual == ["out_dir_file"]`
feat(pip/_internal/*): Use custom raise_for_status method 2020-05-03 18:48:24 +02:00			`mock_raise_for_status.assert_called_once_with(resp)`
FIX #6413 pip install <url> allow directory traversal 2019-04-17 15:25:45 +02:00

Ignore errors copying socket files for source installs (in Python 3). (#6844) 2019-08-21 11:19:02 +02:00			`@pytest.fixture`
Migrate tests to use pathlib.Path The pip-specific Path implementation has been removed, and all its usages replaced by pathlib.Path. The tmpdir and tmpdir_factory fixtures are also removed, and all usages are replaced by tmp_path and tmp_path_factory, which use pathlib.Path. The pip() function now also accepts pathlib.Path so we don't need to put str() everywhere. Path arguments are coerced with os.fspath() into str. 2022-06-07 11:52:38 +02:00			`def clean_project(tmpdir_factory: pytest.TempPathFactory, data: TestData) -> Path:`
			`tmpdir = tmpdir_factory.mktemp("clean_project")`
Ignore errors copying socket files for source installs (in Python 3). (#6844) 2019-08-21 11:19:02 +02:00			`new_project_dir = tmpdir.joinpath("FSPkg")`
			`path = data.packages.joinpath("FSPkg")`
			`shutil.copytree(path, new_project_dir)`
			`return new_project_dir`


Remove object from class definitions Unnecessary since dropping Python 2 support. In Python 3, all classes are new style classes. 2020-12-24 22:23:07 +01:00			`class Test_unpack_url:`
Complete type annotations of tests/unit/ directory 2021-08-30 00:43:28 +02:00			`def prep(self, tmpdir: Path, data: TestData) -> None:`
Migrate tests to use pathlib.Path The pip-specific Path implementation has been removed, and all its usages replaced by pathlib.Path. The tmpdir and tmpdir_factory fixtures are also removed, and all usages are replaced by tmp_path and tmp_path_factory, which use pathlib.Path. The pip() function now also accepts pathlib.Path so we don't need to put str() everywhere. Path arguments are coerced with os.fspath() into str. 2022-06-07 11:52:38 +02:00			`self.build_dir = os.fspath(tmpdir.joinpath("build"))`
Reformat the codebase, with black 2021-08-13 15:23:45 +02:00			`self.download_dir = tmpdir.joinpath("download")`
'pip wheel' should download wheels, when it finds them 2014-02-01 20:41:55 +01:00			`os.mkdir(self.build_dir)`
			`os.mkdir(self.download_dir)`
			`self.dist_file = "simple-1.0.tar.gz"`
			`self.dist_file2 = "simple-2.0.tar.gz"`
Rename compatible functions in tests.lib.path.Path. 2019-07-02 07:00:32 +02:00			`self.dist_path = data.packages.joinpath(self.dist_file)`
			`self.dist_path2 = data.packages.joinpath(self.dist_file2)`
Migrate tests to use pathlib.Path The pip-specific Path implementation has been removed, and all its usages replaced by pathlib.Path. The tmpdir and tmpdir_factory fixtures are also removed, and all usages are replaced by tmp_path and tmp_path_factory, which use pathlib.Path. The pip() function now also accepts pathlib.Path so we don't need to put str() everywhere. Path arguments are coerced with os.fspath() into str. 2022-06-07 11:52:38 +02:00			`self.dist_url = Link(self.dist_path.as_uri())`
			`self.dist_url2 = Link(self.dist_path2.as_uri())`
Give batch downloader a separate class 2020-08-11 17:56:37 +02:00			`self.no_download = Mock(side_effect=AssertionError)`
'pip wheel' should download wheels, when it finds them 2014-02-01 20:41:55 +01:00
Complete type annotations of tests/unit/ directory 2021-08-30 00:43:28 +02:00			`def test_unpack_url_no_download(self, tmpdir: Path, data: TestData) -> None:`
'pip wheel' should download wheels, when it finds them 2014-02-01 20:41:55 +01:00			`self.prep(tmpdir, data)`
Change VCS tooling verbosity along with pip's verbosity (#9639) Co-authored-by: Tzu-ping Chung <uranusjr@gmail.com> Co-authored-by: Pradyun Gedam <pradyunsg@users.noreply.github.com> 2022-01-25 09:54:02 +01:00			`unpack_url(self.dist_url, self.build_dir, self.no_download, verbosity=0)`
Reformat the codebase, with black 2021-08-13 15:23:45 +02:00			`assert os.path.isdir(os.path.join(self.build_dir, "simple"))`
			`assert not os.path.isfile(os.path.join(self.download_dir, self.dist_file))`
'pip wheel' should download wheels, when it finds them 2014-02-01 20:41:55 +01:00
Complete type annotations of tests/unit/ directory 2021-08-30 00:43:28 +02:00			`def test_unpack_url_bad_hash(self, tmpdir: Path, data: TestData) -> None:`
when file urls have hash fragments, check it 2014-02-01 23:04:58 +01:00			`"""`
			`Test when the file url hash fragment is wrong`
			`"""`
			`self.prep(tmpdir, data)`
Reformat the codebase, with black 2021-08-13 15:23:45 +02:00			`url = f"{self.dist_url.url}#md5=bogus"`
Parse the url when creating a Link object. 2019-06-23 01:02:42 +02:00			`dist_url = Link(url)`
when file urls have hash fragments, check it 2014-02-01 23:04:58 +01:00			`with pytest.raises(HashMismatch):`
Reformat the codebase, with black 2021-08-13 15:23:45 +02:00			`unpack_url(`
			`dist_url,`
			`self.build_dir,`
			`download=self.no_download,`
			`hashes=Hashes({"md5": ["bogus"]}),`
Change VCS tooling verbosity along with pip's verbosity (#9639) Co-authored-by: Tzu-ping Chung <uranusjr@gmail.com> Co-authored-by: Pradyun Gedam <pradyunsg@users.noreply.github.com> 2022-01-25 09:54:02 +01:00			`verbosity=0,`
Reformat the codebase, with black 2021-08-13 15:23:45 +02:00			`)`