mirror of
https://github.com/restic/rest-server.git
synced 2025-10-19 15:43:21 +00:00
a628c4e01a
This commit introduces the strict checks from net/http.Dir, which fixes a directory traversal issue. Closes #22
39 lines
1 KiB
Go
39 lines
1 KiB
Go
package restserver
|
|
|
|
import (
|
|
"path/filepath"
|
|
"testing"
|
|
)
|
|
|
|
func TestJoin(t *testing.T) {
|
|
var tests = []struct {
|
|
base, name string
|
|
result string
|
|
}{
|
|
{"/", "foo/bar", "/foo/bar"},
|
|
{"/srv/server", "foo/bar", "/srv/server/foo/bar"},
|
|
{"/srv/server", "/foo/bar", "/srv/server/foo/bar"},
|
|
{"/srv/server", "foo/../bar", "/srv/server/bar"},
|
|
{"/srv/server", "../bar", "/srv/server/bar"},
|
|
{"/srv/server", "..", "/srv/server"},
|
|
{"/srv/server", "../..", "/srv/server"},
|
|
{"/srv/server", "/repo/data/", "/srv/server/repo/data"},
|
|
{"/srv/server", "/repo/data/../..", "/srv/server"},
|
|
{"/srv/server", "/repo/data/../data/../../..", "/srv/server"},
|
|
{"/srv/server", "/repo/data/../data/../../..", "/srv/server"},
|
|
}
|
|
|
|
for _, test := range tests {
|
|
t.Run("", func(t *testing.T) {
|
|
got, err := join(filepath.FromSlash(test.base), test.name)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
want := filepath.FromSlash(test.result)
|
|
if got != want {
|
|
t.Fatalf("wrong result returned, want %v, got %v", want, got)
|
|
}
|
|
})
|
|
}
|
|
}
|