debug

Carreau · Carreau · commit 9251d8a10ced · 2022-10-31T14:17:26.000+01:00
diff --git a/nbviewer/providers/github/client.py b/nbviewer/providers/github/client.py
@@ -16,6 +16,7 @@
 from ...utils import response_text
 from ...utils import url_path_join
 
+
 # -----------------------------------------------------------------------------
 # Async GitHub Client
 # -----------------------------------------------------------------------------
@@ -43,6 +44,7 @@ def authenticate(self):
 
     def fetch(self, url, params=None, **kwargs):
         """Add GitHub auth to self.client.fetch"""
+        assert False
         if not url.startswith(self.github_api_url):
             raise ValueError("Only fetch GitHub urls with GitHub auth (%s)" % url)
         params = {} if params is None else params
diff --git a/nbviewer/providers/github/handlers.py b/nbviewer/providers/github/handlers.py
@@ -236,7 +236,7 @@ async def get(self, user, repo, ref, path):
 
         if not example_file_url.startswith(self.github_url):
             raise ValueError(
-                "Url will never match it does not start with same domain {self.github_url}, {example_file_url}."
+                f"Url will never match it does not start with same domain {self.github_url}, {example_file_url}."
             )
         ghu = (
             self.github_url if self.github_url.endswith("/") else self.github_url + "/"
diff --git a/nbviewer/tests/test_security.py b/nbviewer/tests/test_security.py
@@ -15,20 +15,32 @@
 from .base import NBViewerTestCase
 from .base import skip_unless_github_auth
 
+from unittest.mock import patch
+
 
 class XSSTestCase(NBViewerTestCase):
     def _xss(self, path, pattern="<script>alert"):
         r = requests.get(self.url() + path)
-        self.assertEqual(r.status_code, 200)
-        self.assertNotIn(pattern, r.content)
+        # self.assertEqual(r.status_code, 200)
+        # self.assertNotIn(pattern, r.content)
 
     @skip_unless_github_auth
     def test_github_dirnames(self):
         self._xss("/github/bburky/xss/tree/%3Cscript%3Ealert(1)%3C%2fscript%3E/")
 
     @skip_unless_github_auth
     def test_gist_filenames(self):
-        self._xss("/gist/bburky/c020825874798a6544a7")
+
+        from nbviewer.providers.github.client import AsyncGitHubClient
+
+        AsyncGitHubClient.fetch = lambda x: "123"
+
+        with patch(
+            "nbviewer.providers.github.client.AsyncGitHubClient.fetch"
+        ) as mock_fetch:
+            mock_fetch.return_value = "123"
+            self._xss("/gist/bburky/c020825874798a6544a7")
+            mock_fetch.assert_called_with("123")
 
 
 class LocalDirectoryTraversalTestCase(LFRPTC):

Original file line number	Diff line number	Diff line change
`@@ -236,7 +236,7 @@ async def get(self, user, repo, ref, path):`
`236`	`236`
`237`	`237`	`if not example_file_url.startswith(self.github_url):`
`238`	`238`	`raise ValueError(`
`239`		`- "Url will never match it does not start with same domain {self.github_url}, {example_file_url}."`
	`239`	`+ f"Url will never match it does not start with same domain {self.github_url}, {example_file_url}."`
`240`	`240`	`)`
`241`	`241`	`ghu = (`
`242`	`242`	`self.github_url if self.github_url.endswith("/") else self.github_url + "/"`