mirror of
https://github.com/git-pkgs/proxy.git
synced 2026-06-02 16:48:16 -04:00
a4fd333d48containsPathTraversal only checked literal ".." segments separated by forward slashes. Encoded forms like %2e%2e%2f or backslash separators would slip past if a caller ever passed a raw or Windows-style path. The check now URL-decodes the input and treats backslashes as separators before splitting. Go's stdlib already decodes r.URL.Path so the encoded case is mostly belt-and-braces for cache keys and other non-router inputs, but the storage layer guard from #106 makes this worth locking in with tests. Fixes #74
36 lines
944 B
Go
36 lines
944 B
Go
package handler
|
|
|
|
import "testing"
|
|
|
|
func TestContainsPathTraversal(t *testing.T) {
|
|
tests := []struct {
|
|
path string
|
|
want bool
|
|
}{
|
|
{"pool/main/n/nginx/nginx_1.0.deb", false},
|
|
{"releases/39/Packages/test.rpm", false},
|
|
{"../etc/passwd", true},
|
|
{"pool/../../etc/passwd", true},
|
|
{"pool/main/../../../etc/shadow", true},
|
|
{"pool/..hidden/file", false}, // ".." as a segment, not "..hidden"
|
|
{"", false},
|
|
{"%2e%2e/etc/passwd", true},
|
|
{"%2e%2e%2fetc%2fpasswd", true},
|
|
{"pool/%2e%2e/%2e%2e/etc/shadow", true},
|
|
{"%2E%2E%2Fetc", true},
|
|
{`..\\etc\\passwd`, true},
|
|
{`pool\\..\\..\\etc`, true},
|
|
{"%2e%2e%5cetc%5cpasswd", true},
|
|
{"pool/%2e%2ehidden/file", false},
|
|
{"pool/%zz/bad-encoding", false},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.path, func(t *testing.T) {
|
|
got := containsPathTraversal(tt.path)
|
|
if got != tt.want {
|
|
t.Errorf("containsPathTraversal(%q) = %v, want %v", tt.path, got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|