Welcome to mirror list, hosted at ThFree Co, Russian Federation.

file_path_spec.rb « validators « validations « api « lib « spec - gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/lib/api/validations/validators/file_path_spec.rb
blob: cbeada6faa1a3e7cdf1b022cf12db522919f17c2 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe API::Validations::Validators::FilePath do
  include ApiValidatorsHelpers

  subject do
    described_class.new(['test'], params, false, scope.new)
  end

  context 'when allowlist is not set' do
    shared_examples 'file validation' do
      context 'valid file path' do
        it 'does not raise a validation error' do
          expect_no_validation_error('test' => './foo')
          expect_no_validation_error('test' => './bar.rb')
          expect_no_validation_error('test' => 'foo%2Fbar%2Fnew%2Ffile.rb')
          expect_no_validation_error('test' => 'foo%2Fbar%2Fnew')
          expect_no_validation_error('test' => 'foo/bar')
        end
      end

      context 'invalid file path' do
        it 'raise a validation error' do
          expect_validation_error('test' => '../foo')
          expect_validation_error('test' => '../')
          expect_validation_error('test' => 'foo/../../bar')
          expect_validation_error('test' => 'foo/../')
          expect_validation_error('test' => 'foo/..')
          expect_validation_error('test' => '../')
          expect_validation_error('test' => '..\\')
          expect_validation_error('test' => '..\/')
          expect_validation_error('test' => '%2e%2e%2f')
          expect_validation_error('test' => '/etc/passwd')
          expect_validation_error('test' => 'test%0a/etc/passwd')
          expect_validation_error('test' => '%2Ffoo%2Fbar%2Fnew%2Ffile.rb')
          expect_validation_error('test' => '%252Ffoo%252Fbar%252Fnew%252Ffile.rb')
          expect_validation_error('test' => 'foo%252Fbar%252Fnew%252Ffile.rb')
          expect_validation_error('test' => 'foo%25252Fbar%25252Fnew%25252Ffile.rb')
        end
      end
    end

    it_behaves_like 'file validation' do
      let(:params) { {} }
    end

    it_behaves_like 'file validation' do
      let(:params) { true }
    end
  end

  context 'when allowlist is set' do
    let(:params) { { allowlist: ['/home/bar'] } }

    context 'when file path is included in the allowlist' do
      it 'does not raise a validation error' do
        expect_no_validation_error('test' => '/home/bar')
      end
    end

    context 'when file path is not included in the allowlist' do
      it 'raises a validation error' do
        expect_validation_error('test' => '/foo/xyz')
      end
    end
  end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-19 07:03:54 +0300