diff options
author | Aaron Patterson <tenderlove@ruby-lang.org> | 2020-05-12 14:33:52 -0700 |
---|---|---|
committer | Aaron Patterson <tenderlove@ruby-lang.org> | 2020-05-12 14:34:00 -0700 |
commit | 4d170b728aeaa09d7e5d3c9ea8efc30765f628d8 (patch) | |
tree | 4e8e4c18dfde5427c374bf5d7394a023c1f5a028 | |
parent | 145a0c5f41ce1fef18edc9807701655ddd717c06 (diff) | |
download | rack-4d170b728aeaa09d7e5d3c9ea8efc30765f628d8.tar.gz |
adding a test for directory traversal
-rw-r--r-- | test/spec_directory.rb | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/test/spec_directory.rb b/test/spec_directory.rb index 0e4d501f..97cbadbf 100644 --- a/test/spec_directory.rb +++ b/test/spec_directory.rb @@ -119,6 +119,18 @@ describe Rack::Directory do res.must_be :forbidden? end + it "not allow dir globs" do + Dir.mktmpdir do |dir| + weirds = "uploads/.?/.?" + full_dir = File.join(dir, weirds) + FileUtils.mkdir_p full_dir + FileUtils.touch File.join(dir, "secret.txt") + app = Rack::Directory.new(File.join(dir, "uploads")) + res = Rack::MockRequest.new(app).get("/.%3F") + refute_match "secret.txt", res.body + end + end + it "404 if it can't find the file" do res = Rack::MockRequest.new(Rack::Lint.new(app)). get("/cgi/blubb") |