Stowage/rest-server
2
0
Fork 0
mirror of https://github.com/restic/rest-server.git synced 2025-10-19 15:43:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix directory traversal

Browse source 
This commit introduces the strict checks from net/http.Dir, which fixes
a directory traversal issue.

Closes #22
This commit is contained in:
Alexander Neumann 2017-07-30 14:30:18 +02:00 committed by Zlatko Čalušić
parent 9a6bb5eebe
commit a628c4e01a
2 changed files with 172 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

39
handlers_test.go Normal file
View file

@ -0,0 +1,39 @@
package restserver
import (
"path/filepath"
"testing"
)
func TestJoin(t *testing.T) {
var tests = []struct {
base, name string
result string
}{
{"/", "foo/bar", "/foo/bar"},
{"/srv/server", "foo/bar", "/srv/server/foo/bar"},
{"/srv/server", "/foo/bar", "/srv/server/foo/bar"},
{"/srv/server", "foo/../bar", "/srv/server/bar"},
{"/srv/server", "../bar", "/srv/server/bar"},
{"/srv/server", "..", "/srv/server"},
{"/srv/server", "../..", "/srv/server"},
{"/srv/server", "/repo/data/", "/srv/server/repo/data"},
{"/srv/server", "/repo/data/../..", "/srv/server"},
{"/srv/server", "/repo/data/../data/../../..", "/srv/server"},
{"/srv/server", "/repo/data/../data/../../..", "/srv/server"},
}
for _, test := range tests {
t.Run("", func(t *testing.T) {
got, err := join(filepath.FromSlash(test.base), test.name)
if err != nil {
t.Fatal(err)
}
want := filepath.FromSlash(test.result)
if got != want {
t.Fatalf("wrong result returned, want %v, got %v", want, got)
}
})
}
}