improve path traversal protection

Adds protections against absolute paths and ".." directory traversal.
author: Sami Hiltunen <shiltunen@gitlab.com> 2020-04-02 19:48:23 +0300
committer: Sami Hiltunen <shiltunen@gitlab.com> 2020-04-21 13:01:45 +0300
commit: 8e7b89af701c65d551e0b7f665c883c723209961 (patch)
tree: dc3fed94017994a1928418ecb9ba89e128dcfff8 /internal/helper/security_test.go
parent: 095cbf10e4fc102fed6e0ae307dfb5f03ecd275b (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/internal/helper/security_test.go b/internal/helper/security_test.go
index 9a8125dac..e983c56e1 100644
--- a/internal/helper/security_test.go
+++ b/internal/helper/security_test.go
@@ -16,10 +16,21 @@ func TestContainsPathTraversal(t *testing.T) {
 		{"subdir/..", true},
 		{"subdir", false},
 		{"./subdir", false},
+		{"..", true},
+		{".", false},
+		{"/absolute", true},
+		{"double//slash", false},
+		{"trailing-slash/", false},
+		{"whitespace-named/ /directory", false},
+		{" whitespace/leading-name", false},
+		{"whitespace-trailing/name ", false},
+		{"whitespace in/directory name", false},
 	}
 
 	for _, tc := range testCases {
-		assert.Equal(t, tc.containsTraversal, ContainsPathTraversal(tc.path))
+		t.Run(tc.path, func(t *testing.T) {
+			assert.Equal(t, tc.containsTraversal, ContainsPathTraversal(tc.path))
+		})
 	}
 }
author	Sami Hiltunen <shiltunen@gitlab.com>	2020-04-02 19:48:23 +0300
committer	Sami Hiltunen <shiltunen@gitlab.com>	2020-04-21 13:01:45 +0300
commit	8e7b89af701c65d551e0b7f665c883c723209961 (patch)
tree	dc3fed94017994a1928418ecb9ba89e128dcfff8 /internal/helper/security_test.go
parent	095cbf10e4fc102fed6e0ae307dfb5f03ecd275b (diff)