Fix leakage contents

trungleduc · trungleduc · commit 2d82e69d1545 · 2023-08-10T17:16:57.000+02:00
diff --git a/tests/app/contents_handler_test.py b/tests/app/contents_handler_test.py
@@ -0,0 +1,49 @@
+import json
+import pytest
+import tornado
+
+
+@pytest.fixture
+def preheat_mode():
+    return False
+
+
+@pytest.fixture
+def contents_prefix(base_url):
+    return base_url + "voila/api/contents"
+
+
+@pytest.fixture
+def voila_args(notebook_directory, voila_args_extra):
+    return ["--VoilaTest.root_dir=%r" % notebook_directory, *voila_args_extra]
+
+
+@pytest.fixture
+def voila_args_extra():
+    return ['--VoilaConfiguration.extension_language_mapping={".py": "python"}']
+
+
+async def test_contents_endpoint(http_server_client, contents_prefix):
+    response = await http_server_client.fetch(contents_prefix)
+    html_json = json.loads(response.body.decode("utf-8"))
+    assert "content" in html_json
+    assert len(html_json["content"]) > 0
+
+
+async def test_get_notebook(http_server_client, contents_prefix):
+    response = await http_server_client.fetch(contents_prefix + "/autokill.ipynb")
+    html_json = json.loads(response.body.decode("utf-8"))
+    assert html_json["name"] == "autokill.ipynb"
+    assert html_json["content"] is None
+
+
+async def test_get_not_allowed_file(http_server_client, contents_prefix):
+    with pytest.raises(tornado.httpclient.HTTPClientError):
+        await http_server_client.fetch(contents_prefix + "/print.xcpp")
+
+
+async def test_get_allowed_file(http_server_client, contents_prefix):
+    response = await http_server_client.fetch(contents_prefix + "/print.py")
+    html_json = json.loads(response.body.decode("utf-8"))
+    assert html_json["name"] == "print.py"
+    assert html_json["content"] is None
diff --git a/voila/app.py b/voila/app.py
@@ -680,13 +680,6 @@ def init_handlers(self) -> List:
                         "no_cache_paths": ["/"],
                     },
                 ),
-                (
-                    url_path_join(
-                        self.server_url, r"/voila/api/contents%s" % path_regex
-                    ),
-                    VoilaContentsHandler,
-                    tree_handler_conf,
-                ),
                 (
                     url_path_join(self.server_url, r"/voila/api/shutdown/(.*)"),
                     VoilaShutdownKernelHandler,
@@ -762,6 +755,14 @@ def init_handlers(self) -> List:
                             "prelaunch_hook": self.prelaunch_hook,
                         },
                     ),
+                    # On serving a directory, expose the content handler.
+                    (
+                        url_path_join(
+                            self.server_url, r"/voila/api/contents%s" % path_regex
+                        ),
+                        VoilaContentsHandler,
+                        tree_handler_conf,
+                    ),
                 ]
             )
         return handlers
diff --git a/voila/configuration.py b/voila/configuration.py
@@ -38,7 +38,7 @@ class VoilaConfiguration(traitlets.config.Configurable):
     classic_tree = Bool(
         False,
         config=True,
-        help=("Use the jinja2-based tree page instead of the new JupyterLab-based one"),
+        help=("Use the jija2-based tree page instead of the new JupyterLab-based one"),
     )
     resources = Dict(
         allow_none=True,
diff --git a/voila/tornado/contentshandler.py b/voila/tornado/contentshandler.py
@@ -32,11 +32,6 @@ async def get(self, path=""):
         path = path or ""
         cm = self.contents_manager
 
-        type = self.get_query_argument("type", default=None)
-        if type not in {None, "directory", "file", "notebook"}:
-            # fall back to file if unknown type
-            type = "file"
-
         format = self.get_query_argument("format", default=None)
         if format not in {None, "text", "base64"}:
             raise web.HTTPError(400, "Format %r is invalid" % format)
@@ -51,23 +46,29 @@ async def get(self, path=""):
         model = await ensure_async(
             self.contents_manager.get(
                 path=path,
-                type=type,
+                type=None,
                 format=format,
                 content=content,
             )
         )
 
         validate_model(model, expect_content=content)
-        if type is None or type == "directory":
 
-            def allowed_content(content):
-                if content["type"] in ["directory", "notebook"]:
-                    return True
-                __, ext = os.path.splitext(content.get("path"))
-                return ext in self.allowed_extensions
+        def allowed_content(content):
+            if content["type"] in ["directory", "notebook"]:
+                return True
+            __, ext = os.path.splitext(content.get("path"))
+            return ext in self.allowed_extensions
+
+        if not allowed_content(model):
+            raise web.HTTPError(404, f"file or directory {path!r} does not exist")
 
-            model["content"] = sorted(model["content"], key=lambda i: i["name"])
-            model["content"] = list(filter(allowed_content, model["content"]))
+        if model["type"] == "directory":
+            try:
+                model["content"] = sorted(model["content"], key=lambda i: i["name"])
+                model["content"] = list(filter(allowed_content, model["content"]))
+            except Exception:
+                model["content"] = None
         else:
             # Make sure we don't leak the file content.
             model["content"] = None

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ class VoilaConfiguration(traitlets.config.Configurable):`
`38`	`38`	`classic_tree = Bool(`
`39`	`39`	`False,`
`40`	`40`	`config=True,`
`41`		`- help=("Use the jinja2-based tree page instead of the new JupyterLab-based one"),`
	`41`	`+ help=("Use the jija2-based tree page instead of the new JupyterLab-based one"),`
`42`	`42`	`)`
`43`	`43`	`resources = Dict(`
`44`	`44`	`allow_none=True,`