adding a test for directory traversal

author: Aaron Patterson <tenderlove@ruby-lang.org> 2020-05-12 14:33:52 -0700
committer: Aaron Patterson <tenderlove@ruby-lang.org> 2020-05-12 14:34:00 -0700
commit: 4d170b728aeaa09d7e5d3c9ea8efc30765f628d8 (patch)
tree: 4e8e4c18dfde5427c374bf5d7394a023c1f5a028
parent: 145a0c5f41ce1fef18edc9807701655ddd717c06 (diff)
download: rack-4d170b728aeaa09d7e5d3c9ea8efc30765f628d8.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/test/spec_directory.rb b/test/spec_directory.rb
index 0e4d501f..97cbadbf 100644
--- a/test/spec_directory.rb
+++ b/test/spec_directory.rb
@@ -119,6 +119,18 @@ describe Rack::Directory do
     res.must_be :forbidden?
   end
 
+  it "not allow dir globs" do
+    Dir.mktmpdir do |dir|
+      weirds = "uploads/.?/.?"
+      full_dir = File.join(dir, weirds)
+      FileUtils.mkdir_p full_dir
+      FileUtils.touch File.join(dir, "secret.txt")
+      app = Rack::Directory.new(File.join(dir, "uploads"))
+      res = Rack::MockRequest.new(app).get("/.%3F")
+      refute_match "secret.txt", res.body
+    end
+  end
+
   it "404 if it can't find the file" do
     res = Rack::MockRequest.new(Rack::Lint.new(app)).
       get("/cgi/blubb")
author	Aaron Patterson <tenderlove@ruby-lang.org>	2020-05-12 14:33:52 -0700
committer	Aaron Patterson <tenderlove@ruby-lang.org>	2020-05-12 14:34:00 -0700
commit	4d170b728aeaa09d7e5d3c9ea8efc30765f628d8 (patch)
tree	4e8e4c18dfde5427c374bf5d7394a023c1f5a028
parent	145a0c5f41ce1fef18edc9807701655ddd717c06 (diff)
download	rack-4d170b728aeaa09d7e5d3c9ea8efc30765f628d8.tar.gz