diff options
Diffstat (limited to 'internal/helper/repo_test.go')
| -rw-r--r-- | internal/helper/repo_test.go | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/internal/helper/repo_test.go b/internal/helper/repo_test.go index 07ea8b409..29e3daa7b 100644 --- a/internal/helper/repo_test.go +++ b/internal/helper/repo_test.go @@ -96,6 +96,42 @@ func TestGetRepoPath(t *testing.T) { repo: &pb.Repository{Path: "/made/up/path.git"}, err: codes.NotFound, }, + { + desc: "relative path with directory traversal", + storages: exampleStorages, + repo: &pb.Repository{StorageName: "default", RelativePath: "../bazqux.git"}, + err: codes.InvalidArgument, + }, + { + desc: "valid path with ..", + storages: exampleStorages, + repo: &pb.Repository{StorageName: "default", RelativePath: "foo../bazqux.git"}, + err: codes.NotFound, // Because the directory doesn't exist + }, + { + desc: "relative path with sneaky directory traversal", + storages: exampleStorages, + repo: &pb.Repository{StorageName: "default", RelativePath: "/../bazqux.git"}, + err: codes.InvalidArgument, + }, + { + desc: "relative path with one level traversal at the end", + storages: exampleStorages, + repo: &pb.Repository{StorageName: "default", RelativePath: testhelper.TestRelativePath + "/.."}, + err: codes.InvalidArgument, + }, + { + desc: "relative path with one level dashed traversal at the end", + storages: exampleStorages, + repo: &pb.Repository{StorageName: "default", RelativePath: testhelper.TestRelativePath + "/../"}, + err: codes.InvalidArgument, + }, + { + desc: "relative path with deep traversal at the end", + storages: exampleStorages, + repo: &pb.Repository{StorageName: "default", RelativePath: "bazqux.git/../.."}, + err: codes.InvalidArgument, + }, } for _, tc := range testCases { |