forked from mirrors/pkg-proxy
bf7e83efe3The debian and rpm handlers take the request path and pass it directly to the upstream URL without checking for ".." segments. This could let a client craft a request that reaches unintended upstream paths. Add a containsPathTraversal check at the entry point of both handlers and return 400 for any path containing ".." segments.
27 lines
641 B
Go
27 lines
641 B
Go
package handler
|
|
|
|
import "testing"
|
|
|
|
func TestContainsPathTraversal(t *testing.T) {
|
|
tests := []struct {
|
|
path string
|
|
want bool
|
|
}{
|
|
{"pool/main/n/nginx/nginx_1.0.deb", false},
|
|
{"releases/39/Packages/test.rpm", false},
|
|
{"../etc/passwd", true},
|
|
{"pool/../../etc/passwd", true},
|
|
{"pool/main/../../../etc/shadow", true},
|
|
{"pool/..hidden/file", false}, // ".." as a segment, not "..hidden"
|
|
{"", false},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.path, func(t *testing.T) {
|
|
got := containsPathTraversal(tt.path)
|
|
if got != tt.want {
|
|
t.Errorf("containsPathTraversal(%q) = %v, want %v", tt.path, got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|