From 5611d1c9b64e694a4f8dd2085afa23022ba854cd Mon Sep 17 00:00:00 2001 From: Matt Miller Date: Thu, 2 Jul 2026 20:08:13 -0700 Subject: [PATCH] security: address CodeRabbit review feedback on GHSA-779p tests - test #3: guard the symlink-escape test with a try/except skip so it no longer errors on Windows CI where os.symlink needs elevated privileges / Developer Mode (mirrors the guard in the sibling test #2). - test #5: refresh the stale module docstring to describe the actual /view gating (view_image closure calling folder_paths.is_dangerous_content_type, the normalising check) instead of the bypassable raw set-membership test. --- .../test_ghsa_779p_03_annotated_traversal.py | 8 +++++++- ...st_ghsa_779p_05_dangerous_content_types.py | 19 ++++++++++++------- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/tests-unit/security_test/test_ghsa_779p_03_annotated_traversal.py b/tests-unit/security_test/test_ghsa_779p_03_annotated_traversal.py index 59c09085c..88102760c 100644 --- a/tests-unit/security_test/test_ghsa_779p_03_annotated_traversal.py +++ b/tests-unit/security_test/test_ghsa_779p_03_annotated_traversal.py @@ -87,8 +87,14 @@ def test_is_within_directory_symlink_escape(sandbox): f.write("top secret") # Plant a symlink inside base that points at the outside directory. + # symlink creation can require elevated privileges / Developer Mode on + # Windows, so skip cleanly where it isn't available (same guard as the + # sibling test in test_ghsa_779p_02_preview_traversal.py). link = os.path.join(base, "escape_link") - os.symlink(outside, link) + try: + os.symlink(outside, link) + except (OSError, NotImplementedError): + pytest.skip("symlinks not supported on this platform/filesystem") # Accessing the secret "through" the in-base symlink must be rejected. target_via_link = os.path.join(link, "secret.txt") diff --git a/tests-unit/security_test/test_ghsa_779p_05_dangerous_content_types.py b/tests-unit/security_test/test_ghsa_779p_05_dangerous_content_types.py index b7a1507cf..0e9355b2a 100644 --- a/tests-unit/security_test/test_ghsa_779p_05_dangerous_content_types.py +++ b/tests-unit/security_test/test_ghsa_779p_05_dangerous_content_types.py @@ -5,13 +5,18 @@ blocklist covered text/html, text/javascript, etc. but was missing image/svg+xml, so an uploaded SVG carrying an inline