diff options
author | JoramWilander <jwawilander@gmail.com> | 2015-07-21 15:18:17 -0400 |
---|---|---|
committer | JoramWilander <jwawilander@gmail.com> | 2015-07-21 19:22:04 -0400 |
commit | 39abf24708870cec71a84c01063e647b859b2b67 (patch) | |
tree | 16b57362681ad4d771a89e11e649a6d942e8ccb6 /api/file_test.go | |
parent | 04408eea375439d69b61d65155fea863b3b1834c (diff) | |
download | chat-39abf24708870cec71a84c01063e647b859b2b67.tar.gz chat-39abf24708870cec71a84c01063e647b859b2b67.tar.bz2 chat-39abf24708870cec71a84c01063e647b859b2b67.zip |
added sanitization to filenames to remove the possibility of relative paths
Diffstat (limited to 'api/file_test.go')
-rw-r--r-- | api/file_test.go | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/api/file_test.go b/api/file_test.go index d5817234d..3f414d768 100644 --- a/api/file_test.go +++ b/api/file_test.go @@ -38,7 +38,7 @@ func TestUploadFile(t *testing.T) { body := &bytes.Buffer{} writer := multipart.NewWriter(body) - part, err := writer.CreateFormFile("files", "test.png") + part, err := writer.CreateFormFile("files", "../test.png") if err != nil { t.Fatal(err) } @@ -75,6 +75,9 @@ func TestUploadFile(t *testing.T) { filenames := strings.Split(resp.Data.(*model.FileUploadResponse).Filenames[0], "/") filename := filenames[len(filenames)-2] + "/" + filenames[len(filenames)-1] + if strings.Contains(filename, "../") { + t.Fatal("relative path should have been sanitized out") + } fileId := strings.Split(filename, ".")[0] var auth aws.Auth @@ -104,6 +107,9 @@ func TestUploadFile(t *testing.T) { } else if utils.Cfg.ServiceSettings.UseLocalStorage && len(utils.Cfg.ServiceSettings.StorageDirectory) > 0 { filenames := strings.Split(resp.Data.(*model.FileUploadResponse).Filenames[0], "/") filename := filenames[len(filenames)-2] + "/" + filenames[len(filenames)-1] + if strings.Contains(filename, "../") { + t.Fatal("relative path should have been sanitized out") + } fileId := strings.Split(filename, ".")[0] // wait a bit for files to ready |