CoCalc -- securepath

GitHub Repository: alist-org/alist
Path: blob/main/internal/archive/tool/securepath_test.go
²³¹⁰ views

1
package tool
2

3
import (
4
	"path/filepath"
5
	"strings"
6
	"testing"
7
)
8

9
func TestSecureJoin(t *testing.T) {
10
	baseDir := t.TempDir()
11
	tests := []struct {
12
		name    string
13
		entry   string
14
		wantErr bool
15
	}{
16
		{name: "ok", entry: "a/b/c.txt", wantErr: false},
17
		{name: "parent", entry: "../evil.txt", wantErr: true},
18
		{name: "parent-backslash", entry: "..\\evil.txt", wantErr: true},
19
		{name: "abs", entry: "/tmp/evil.txt", wantErr: true},
20
		{name: "drive", entry: "C:\\evil.txt", wantErr: true},
21
		{name: "unc", entry: "\\\\server\\share\\evil.txt", wantErr: true},
22
	}
23

24
	for _, tc := range tests {
25
		t.Run(tc.name, func(t *testing.T) {
26
			dst, err := SecureJoin(baseDir, tc.entry)
27
			if tc.wantErr {
28
				if err == nil {
29
					t.Fatalf("expected error for %q, got nil", tc.entry)
30
				}
31
				if !strings.Contains(err.Error(), tc.entry) {
32
					t.Fatalf("error should include entry name %q, got %q", tc.entry, err.Error())
33
				}
34
				return
35
			}
36
			if err != nil {
37
				t.Fatalf("unexpected error for %q: %v", tc.entry, err)
38
			}
39
			rel, err := filepath.Rel(baseDir, dst)
40
			if err != nil {
41
				t.Fatalf("Rel failed: %v", err)
42
			}
43
			if rel == ".." || strings.HasPrefix(rel, ".."+string(filepath.Separator)) {
44
				t.Fatalf("path escaped baseDir: %q", dst)
45
			}
46
		})
47
	}
48
}
49

50

Product

Resources

Company