2020-04-02 12:08:18 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
2020-06-24 09:08:32 +00:00
|
|
|
RSpec.describe API::Validations::Validators::FilePath do
|
2020-04-02 12:08:18 +00:00
|
|
|
include ApiValidatorsHelpers
|
|
|
|
|
|
|
|
subject do
|
2020-07-22 00:09:26 +00:00
|
|
|
described_class.new(['test'], params, false, scope.new)
|
2020-04-02 12:08:18 +00:00
|
|
|
end
|
|
|
|
|
2020-07-22 00:09:26 +00:00
|
|
|
context 'when allowlist is not set' do
|
|
|
|
shared_examples 'file validation' do
|
|
|
|
context 'valid file path' do
|
|
|
|
it 'does not raise a validation error' do
|
|
|
|
expect_no_validation_error('test' => './foo')
|
|
|
|
expect_no_validation_error('test' => './bar.rb')
|
|
|
|
expect_no_validation_error('test' => 'foo%2Fbar%2Fnew%2Ffile.rb')
|
|
|
|
expect_no_validation_error('test' => 'foo%2Fbar%2Fnew')
|
|
|
|
expect_no_validation_error('test' => 'foo/bar')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'invalid file path' do
|
|
|
|
it 'raise a validation error' do
|
|
|
|
expect_validation_error('test' => '../foo')
|
|
|
|
expect_validation_error('test' => '../')
|
|
|
|
expect_validation_error('test' => 'foo/../../bar')
|
|
|
|
expect_validation_error('test' => 'foo/../')
|
|
|
|
expect_validation_error('test' => 'foo/..')
|
|
|
|
expect_validation_error('test' => '../')
|
|
|
|
expect_validation_error('test' => '..\\')
|
|
|
|
expect_validation_error('test' => '..\/')
|
|
|
|
expect_validation_error('test' => '%2e%2e%2f')
|
|
|
|
expect_validation_error('test' => '/etc/passwd')
|
|
|
|
expect_validation_error('test' => 'test%0a/etc/passwd')
|
|
|
|
expect_validation_error('test' => '%2Ffoo%2Fbar%2Fnew%2Ffile.rb')
|
|
|
|
expect_validation_error('test' => '%252Ffoo%252Fbar%252Fnew%252Ffile.rb')
|
|
|
|
expect_validation_error('test' => 'foo%252Fbar%252Fnew%252Ffile.rb')
|
|
|
|
expect_validation_error('test' => 'foo%25252Fbar%25252Fnew%25252Ffile.rb')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'file validation' do
|
|
|
|
let(:params) { {} }
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'file validation' do
|
|
|
|
let(:params) { true }
|
2020-04-02 12:08:18 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-07-22 00:09:26 +00:00
|
|
|
context 'when allowlist is set' do
|
|
|
|
let(:params) { { allowlist: ['/home/bar'] } }
|
|
|
|
|
|
|
|
context 'when file path is included in the allowlist' do
|
|
|
|
it 'does not raise a validation error' do
|
|
|
|
expect_no_validation_error('test' => '/home/bar')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when file path is not included in the allowlist' do
|
|
|
|
it 'raises a validation error' do
|
|
|
|
expect_validation_error('test' => '/foo/xyz')
|
|
|
|
end
|
2020-04-02 12:08:18 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|