Only use 404

sanic/mixins/routes.py

@@ -26,12 +26,7 @@
 from sanic.compat import stat_async
 from sanic.constants import DEFAULT_HTTP_CONTENT_TYPE, HTTP_METHODS
 from sanic.errorpages import RESPONSE_MAPPING
-from sanic.exceptions import (
-    BadRequest,
-    FileNotFound,
-    HeaderNotFound,
-    RangeNotSatisfiable,
-)
+from sanic.exceptions import FileNotFound, HeaderNotFound, RangeNotSatisfiable
 from sanic.handlers import ContentRangeHandler
 from sanic.log import error_logger
 from sanic.models.futures import FutureRoute, FutureStatic
@@ -808,6 +803,11 @@ async def _static_request_handler(
         # Merge served directory and requested file if provided
         file_path_raw = Path(unquote(file_or_directory))
         root_path = file_path = file_path_raw.resolve()
+        not_found = FileNotFound(
+            "File not found",
+            path=file_or_directory,
+            relative_url=__file_uri__,
+        )
 
         if __file_uri__:
             # Strip all / that in the beginning of the URL to help prevent
@@ -819,7 +819,11 @@ async def _static_request_handler(
             if (
                 file_path < root_path and not file_path_raw.is_symlink()
             ) or file_path_raw.match("../**/*"):
-                raise BadRequest("Invalid URL")
+                error_logger.exception(
+                    f"File not found: path={file_or_directory}, "
+                    f"relative_url={__file_uri__}"
+                )
+                raise not_found
 
         if (
             not file_path.is_relative_to(root_path)
@@ -829,11 +833,7 @@ async def _static_request_handler(
                 f"File not found: path={file_or_directory}, "
                 f"relative_url={__file_uri__}"
             )
-            raise FileNotFound(
-                "File not found",
-                path=file_or_directory,
-                relative_url=__file_uri__,
-            )
+            raise not_found
         try:
             headers = {}
             # Check if the client has been sent this file before
@@ -901,11 +901,7 @@ async def _static_request_handler(
         except RangeNotSatisfiable:
             raise
         except FileNotFoundError:
-            raise FileNotFound(
-                "File not found",
-                path=file_or_directory,
-                relative_url=__file_uri__,
-            )
+            raise not_found
         except Exception:
             error_logger.exception(
                 f"Exception in static request handler: "

tests/test_static.py

@@ -617,10 +617,10 @@ def test_breakout(app: Sanic, static_file_directory: str):
     app.static("/foo", static_file_directory)
 
     _, response = app.test_client.get("/foo/..%2Ffake/server.py")
-    assert response.status == 400
+    assert response.status == 404
 
     _, response = app.test_client.get("/foo/..%2Fstatic/test.file")
-    assert response.status == 400
+    assert response.status == 404
 
 
 @pytest.mark.skipif(
@@ -632,6 +632,6 @@ def test_double_backslash_prohibited_on_win32(
     app.static("/foo", static_file_directory)
 
     _, response = app.test_client.get("/foo/static/..\\static/test.file")
-    assert response.status == 400
+    assert response.status == 404
     _, response = app.test_client.get("/foo/static\\../static/test.file")
-    assert response.status == 400
+    assert response.status == 404