diff options
Diffstat (limited to 'spec/services/bulk_imports/file_download_service_spec.rb')
-rw-r--r-- | spec/services/bulk_imports/file_download_service_spec.rb | 32 |
1 files changed, 26 insertions, 6 deletions
diff --git a/spec/services/bulk_imports/file_download_service_spec.rb b/spec/services/bulk_imports/file_download_service_spec.rb index a24af9ae64d..bd664d6e996 100644 --- a/spec/services/bulk_imports/file_download_service_spec.rb +++ b/spec/services/bulk_imports/file_download_service_spec.rb @@ -33,7 +33,7 @@ RSpec.describe BulkImports::FileDownloadService do described_class.new( configuration: config, relative_url: '/test', - dir: tmpdir, + tmpdir: tmpdir, filename: filename, file_size_limit: file_size_limit, allowed_content_types: allowed_content_types @@ -72,7 +72,7 @@ RSpec.describe BulkImports::FileDownloadService do service = described_class.new( configuration: double, relative_url: '/test', - dir: tmpdir, + tmpdir: tmpdir, filename: filename, file_size_limit: file_size_limit, allowed_content_types: allowed_content_types @@ -157,7 +157,7 @@ RSpec.describe BulkImports::FileDownloadService do described_class.new( configuration: config, relative_url: '/test', - dir: tmpdir, + tmpdir: tmpdir, filename: 'symlink', file_size_limit: file_size_limit, allowed_content_types: allowed_content_types @@ -179,7 +179,7 @@ RSpec.describe BulkImports::FileDownloadService do described_class.new( configuration: config, relative_url: '/test', - dir: '/etc', + tmpdir: '/etc', filename: filename, file_size_limit: file_size_limit, allowed_content_types: allowed_content_types @@ -188,8 +188,28 @@ RSpec.describe BulkImports::FileDownloadService do it 'raises an error' do expect { subject.execute }.to raise_error( - described_class::ServiceError, - 'Invalid target directory' + StandardError, + 'path /etc is not allowed' + ) + end + end + + context 'when dir path is being traversed' do + subject do + described_class.new( + configuration: config, + relative_url: '/test', + tmpdir: File.join(Dir.mktmpdir('bulk_imports'), 'test', '..'), + filename: filename, + file_size_limit: file_size_limit, + allowed_content_types: allowed_content_types + ) + end + + it 'raises an error' do + expect { subject.execute }.to raise_error( + Gitlab::Utils::PathTraversalAttackError, + 'Invalid path' ) end end |