From c5fc504cb26be0c2e96083c0bad6c79d278e3afc Mon Sep 17 00:00:00 2001 From: Harrison Healey Date: Mon, 15 Aug 2016 17:38:55 -0400 Subject: PLT-3617 Switched public file links to use a sha256 hash (#3792) * Changed FileSettings.PublicLinkSalt to be a pointer * Switched public file links to use a sha256 hash --- api/file_test.go | 45 ++++++++++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 19 deletions(-) (limited to 'api/file_test.go') diff --git a/api/file_test.go b/api/file_test.go index fe7355122..764f326cd 100644 --- a/api/file_test.go +++ b/api/file_test.go @@ -290,15 +290,7 @@ func TestGetPublicFile(t *testing.T) { } if resp, err := http.Get(link[:strings.LastIndex(link, "?")]); err == nil && resp.StatusCode != http.StatusBadRequest { - t.Fatal("should've failed to get image with public link while logged in without query params", resp.Status) - } - - if resp, err := http.Get(link[:strings.LastIndex(link, "&")]); err == nil && resp.StatusCode != http.StatusBadRequest { - t.Fatal("should've failed to get image with public link while logged in without second query param") - } - - if resp, err := http.Get(link[:strings.LastIndex(link, "?")] + "?" + link[strings.LastIndex(link, "&"):]); err == nil && resp.StatusCode != http.StatusBadRequest { - t.Fatal("should've failed to get image with public link while logged in without first query param") + t.Fatal("should've failed to get image with public link while logged in without hash", resp.Status) } utils.Cfg.FileSettings.EnablePublicLink = false @@ -316,15 +308,7 @@ func TestGetPublicFile(t *testing.T) { } if resp, err := http.Get(link[:strings.LastIndex(link, "?")]); err == nil && resp.StatusCode != http.StatusBadRequest { - t.Fatal("should've failed to get image with public link while not logged in without query params") - } - - if resp, err := http.Get(link[:strings.LastIndex(link, "&")]); err == nil && resp.StatusCode != http.StatusBadRequest { - t.Fatal("should've failed to get image with public link while not logged in without second query param") - } - - if resp, err := http.Get(link[:strings.LastIndex(link, "?")] + "?" + link[strings.LastIndex(link, "&"):]); err == nil && resp.StatusCode != http.StatusBadRequest { - t.Fatal("should've failed to get image with public link while not logged in without first query param") + t.Fatal("should've failed to get image with public link while not logged in without hash") } utils.Cfg.FileSettings.EnablePublicLink = false @@ -335,7 +319,7 @@ func TestGetPublicFile(t *testing.T) { utils.Cfg.FileSettings.EnablePublicLink = true // test a user that's logged in after the salt has changed - utils.Cfg.FileSettings.PublicLinkSalt = model.NewId() + *utils.Cfg.FileSettings.PublicLinkSalt = model.NewId() th.LoginBasic() if resp, err := http.Get(link); err == nil && resp.StatusCode != http.StatusBadRequest { @@ -408,6 +392,29 @@ func TestGetPublicLink(t *testing.T) { } } +func TestGeneratePublicLinkHash(t *testing.T) { + filename1 := model.NewId() + "/" + model.NewRandomString(16) + ".txt" + filename2 := model.NewId() + "/" + model.NewRandomString(16) + ".txt" + salt1 := model.NewRandomString(32) + salt2 := model.NewRandomString(32) + + hash1 := generatePublicLinkHash(filename1, salt1) + hash2 := generatePublicLinkHash(filename2, salt1) + hash3 := generatePublicLinkHash(filename1, salt2) + + if hash1 != generatePublicLinkHash(filename1, salt1) { + t.Fatal("hash should be equal for the same file name and salt") + } + + if hash1 == hash2 { + t.Fatal("hashes for different files should not be equal") + } + + if hash1 == hash3 { + t.Fatal("hashes for the same file with different salts should not be equal") + } +} + func uploadTestFile(Client *model.Client, channelId string) ([]string, error) { body := &bytes.Buffer{} writer := multipart.NewWriter(body) -- cgit v1.2.3-1-g7c22