mirror of
https://github.com/langgenius/dify.git
synced 2025-11-14 18:32:19 +00:00
5bc6e8a433
Fixes #25619 The regex patterns for file-preview and image-preview contained an unescaped `?`, which caused incorrect matches such as `file-previe` or `image-previw`. This led to malformed URLs being incorrectly re-signed. Changes: - Escape `?` in both file-preview and image-preview regex patterns. - Ensure only valid URLs are re-signed. Added unit tests to cover: - Valid file-preview and image-preview URLs (correctly re-signed). - Misspelled file/image preview URLs (no longer incorrectly matched). Other: - Fix a deprecated function `datetime.utcnow()` Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Asuka Minato <i@asukaminato.eu.org> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com>
84 lines
2.6 KiB
Python
84 lines
2.6 KiB
Python
import importlib
|
|
import types
|
|
|
|
import pytest
|
|
|
|
from models.model import Message
|
|
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def patch_file_helpers(monkeypatch: pytest.MonkeyPatch):
|
|
"""
|
|
Patch file_helpers.get_signed_file_url to a deterministic stub.
|
|
"""
|
|
model_module = importlib.import_module("models.model")
|
|
dummy = types.SimpleNamespace(get_signed_file_url=lambda fid: f"https://signed.example/{fid}")
|
|
# Inject/override file_helpers on models.model
|
|
monkeypatch.setattr(model_module, "file_helpers", dummy, raising=False)
|
|
|
|
|
|
def _wrap_md(url: str) -> str:
|
|
"""
|
|
Wrap a raw URL into the markdown that re_sign_file_url_answer expects:
|
|
[link](<url>)
|
|
"""
|
|
return f"please click [file]({url}) to download."
|
|
|
|
|
|
def test_file_preview_valid_replaced():
|
|
"""
|
|
Valid file-preview URL must be re-signed:
|
|
- Extract upload_file_id correctly
|
|
- Replace the original URL with the signed URL
|
|
"""
|
|
upload_id = "abc-123"
|
|
url = f"/files/{upload_id}/file-preview?timestamp=111&nonce=222&sign=333"
|
|
msg = Message(answer=_wrap_md(url))
|
|
|
|
out = msg.re_sign_file_url_answer
|
|
assert f"https://signed.example/{upload_id}" in out
|
|
assert url not in out
|
|
|
|
|
|
def test_file_preview_misspelled_not_replaced():
|
|
"""
|
|
Misspelled endpoint 'file-previe?timestamp=' should NOT be rewritten.
|
|
"""
|
|
upload_id = "zzz-001"
|
|
# path deliberately misspelled: file-previe? (missing 'w')
|
|
# and we append ¬e=file-preview to trick the old `"file-preview" in url` check.
|
|
url = f"/files/{upload_id}/file-previe?timestamp=111&nonce=222&sign=333¬e=file-preview"
|
|
original = _wrap_md(url)
|
|
msg = Message(answer=original)
|
|
|
|
out = msg.re_sign_file_url_answer
|
|
# Expect NO replacement, should not rewrite misspelled file-previe URL
|
|
assert out == original
|
|
|
|
|
|
def test_image_preview_valid_replaced():
|
|
"""
|
|
Valid image-preview URL must be re-signed.
|
|
"""
|
|
upload_id = "img-789"
|
|
url = f"/files/{upload_id}/image-preview?timestamp=123&nonce=456&sign=789"
|
|
msg = Message(answer=_wrap_md(url))
|
|
|
|
out = msg.re_sign_file_url_answer
|
|
assert f"https://signed.example/{upload_id}" in out
|
|
assert url not in out
|
|
|
|
|
|
def test_image_preview_misspelled_not_replaced():
|
|
"""
|
|
Misspelled endpoint 'image-previe?timestamp=' should NOT be rewritten.
|
|
"""
|
|
upload_id = "img-err-42"
|
|
url = f"/files/{upload_id}/image-previe?timestamp=1&nonce=2&sign=3¬e=image-preview"
|
|
original = _wrap_md(url)
|
|
msg = Message(answer=original)
|
|
|
|
out = msg.re_sign_file_url_answer
|
|
# Expect NO replacement, should not rewrite misspelled image-previe URL
|
|
assert out == original
|