|
|
|
@ -1,28 +1,12 @@ |
|
|
|
from fastapi import FastAPI |
|
|
|
from fastapi.testclient import TestClient |
|
|
|
from starlette.types import ASGIApp, Receive, Scope, Send |
|
|
|
|
|
|
|
|
|
|
|
def _make_root_path_middleware(root_path: str): |
|
|
|
"""Return middleware that injects root_path into every request scope.""" |
|
|
|
|
|
|
|
class _Middleware: |
|
|
|
def __init__(self, app: ASGIApp): |
|
|
|
self.app = app |
|
|
|
|
|
|
|
async def __call__(self, scope: Scope, receive: Receive, send: Send): |
|
|
|
if scope["type"] == "http": |
|
|
|
scope["root_path"] = root_path |
|
|
|
await self.app(scope, receive, send) |
|
|
|
|
|
|
|
return _Middleware |
|
|
|
|
|
|
|
|
|
|
|
def test_root_path_does_not_persist_across_requests(): |
|
|
|
app = FastAPI() |
|
|
|
|
|
|
|
@app.get("/") |
|
|
|
def read_root(): |
|
|
|
def read_root(): # pragma: no cover |
|
|
|
return {"ok": True} |
|
|
|
|
|
|
|
# Attacker request with a spoofed root_path |
|
|
|
@ -43,7 +27,7 @@ def test_multiple_different_root_paths_do_not_accumulate(): |
|
|
|
app = FastAPI() |
|
|
|
|
|
|
|
@app.get("/") |
|
|
|
def read_root(): |
|
|
|
def read_root(): # pragma: no cover |
|
|
|
return {"ok": True} |
|
|
|
|
|
|
|
for prefix in ["/path-a", "/path-b", "/path-c"]: |
|
|
|
@ -65,7 +49,7 @@ def test_legitimate_root_path_still_appears(): |
|
|
|
app = FastAPI() |
|
|
|
|
|
|
|
@app.get("/") |
|
|
|
def read_root(): |
|
|
|
def read_root(): # pragma: no cover |
|
|
|
return {"ok": True} |
|
|
|
|
|
|
|
client = TestClient(app, root_path="/api/v1") |
|
|
|
@ -80,7 +64,7 @@ def test_configured_servers_not_mutated(): |
|
|
|
app = FastAPI(servers=configured_servers) |
|
|
|
|
|
|
|
@app.get("/") |
|
|
|
def read_root(): |
|
|
|
def read_root(): # pragma: no cover |
|
|
|
return {"ok": True} |
|
|
|
|
|
|
|
# Request with a rogue root_path |
|
|
|
|