diff --git a/README.md b/README.md
index 6027903de217b6516f96a67df22473728da25f44..2c4d7e6d820e3550af109faa57575bc187f3cd9d 100644
--- a/README.md
+++ b/README.md
@@ -25,12 +25,13 @@ use for this. Instructions can be found in the official LinkAhead
`scripting/bin-debug`.
- Modify `pylinkahead.ini.template` and save it as `pylinkahead.ini`, taking care of the following points:
- Certificates must be valid and be specified in `pylinkahead.ini`.
- - Server-side scripting paths must be given, otherwise server-side scripting will be omitted.
- - The local path `test_server_side_scripting.bin_dir.local` should point to a
- `linkahead-server/scripting/bin` somwhere.
- - The remote path `test_server_side_scripting.bin_dir.server` should probably be something like
- `/opt/caosdb/git/caosdb-server/scripting/bin-debug`.
- - Paths for the file tests must exist, or be creatable by the testing script and the server.
+ - Server-side scripting paths must be given, otherwise server-side
+ scripting will be omitted. The remote path
+ `test_server_side_scripting.bin_dir.server` should probably be
+ something like
+ `/opt/caosdb/git/caosdb-server/scripting/bin-debug`.
+ - Paths for the file tests must exist, or be creatable by the
+ testing script and the server.
### Run the tests
diff --git a/tests/test_server_side_scripting.py b/tests/test_server_side_scripting.py
index e0f60b1f6dae66800adf7652dcd703293261226e..456461ea34599198841f7a2394b9cc5ef9eebb50 100644
--- a/tests/test_server_side_scripting.py
+++ b/tests/test_server_side_scripting.py
@@ -45,12 +45,6 @@ from pytest import mark, raises
_TEST_SCRIPTS = ["not_executable", "ok", "err", "ok_anonymous"]
-try:
- _SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL = get_config().get(
- "IntegrationTests",
- "test_server_side_scripting.bin_dir.local")
-except Exception:
- _SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL = tempfile.mkdtemp()
try:
_SERVER_SIDE_SCRIPTING_BIN_DIR_SERVER = get_config().get(
"IntegrationTests",
@@ -108,25 +102,6 @@ def setup_module():
"SERVER_SIDE_SCRIPTING_BIN_DIRS")
clean_database()
- from os import makedirs
- from os.path import exists, isdir, join
- from shutil import copyfile, copymode
- print("bin dir (local): " + str(_SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL))
- print("bin dir (server): " + str(_SERVER_SIDE_SCRIPTING_BIN_DIR_SERVER))
- print("tests scripts: " + str(_TEST_SCRIPTS))
-
- if not exists(_SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL):
- makedirs(_SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL)
- _REMOVE_FILES_AFTERWARDS.append(_SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL)
- assert isdir(_SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL)
-
- for script_file in _TEST_SCRIPTS:
- target = join(_SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL, script_file)
- src = join(_TEST_SCRIPTS_DIR, script_file)
- copyfile(src, target)
- copymode(src, target)
- _REMOVE_FILES_AFTERWARDS.append(target)
-
def teardown_module():
from os import remove
@@ -432,20 +407,16 @@ def test_anonymous_script_calling_success():
@mark.local_server
def test_evil_path():
- subdir = os.path.join(_SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL, "subdir")
+ """Test that we can't "escape" from the defined bin dirs, i.e.,
+ can't execute scripts in arbitrary locations.
+
+ """
- if not os.path.exists(subdir):
- os.makedirs(subdir)
- _REMOVE_FILES_AFTERWARDS.append(subdir)
+ # Set SSS bin dir to "subdir" sub directory
admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIRS",
os.path.join(_SERVER_SIDE_SCRIPTING_BIN_DIR_SERVER,
"subdir"))
-
- # ok exists one level up from "subdir"
- assert os.path.exists(
- os.path.join(
- _SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL,
- "ok"))
-
+ # The parent directory is not in the list of SSS bin dirs, so the
+ # server must not allow the execution of ok.
with raises(HTTPResourceNotFoundError):
r = run_server_side_script("../ok")