-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Expand file tree
/
Copy pathstatic_encoded_separator_test.go
More file actions
124 lines (118 loc) · 3.41 KB
/
Copy pathstatic_encoded_separator_test.go
File metadata and controls
124 lines (118 loc) · 3.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package echo
import (
"net/http"
"net/http/httptest"
"testing"
"testing/fstest"
"github.com/stretchr/testify/assert"
)
// Regression for GHSA-vfp3-v2gw-7wfq: an encoded slash (%2F) must not let a static
// file request resolve across a path separator and bypass route-level middleware.
func TestStaticDirectoryHandler_EncodedSeparatorDoesNotBypassRoute(t *testing.T) {
var testCases = []struct {
name string
target string
wantCode int
wantBody string
}{
{
name: "protected route fires",
target: "/admin/secret.txt",
wantCode: http.StatusForbidden,
wantBody: "denied",
},
{
name: "encoded slash rejected, no disclosure",
target: "/admin%2Fsecret.txt",
wantCode: http.StatusNotFound,
wantBody: "",
},
{
name: "lower-case hex variant",
target: "/admin%2fsecret.txt",
wantCode: http.StatusNotFound,
wantBody: "",
},
{
name: "encoded backslash variant - Windows specific related",
target: "/admin%5Csecret.txt",
wantCode: http.StatusNotFound,
wantBody: "",
},
{
name: "double-encoded: single unescape -> literal filename, not a separator",
target: "/admin%252Fsecret.txt",
wantCode: http.StatusNotFound,
wantBody: "",
},
{
name: "legitimate static file still served",
target: "/index.html",
wantCode: http.StatusOK,
wantBody: "public",
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
fsys := fstest.MapFS{
"admin/secret.txt": {Data: []byte("TOP-SECRET")},
"index.html": {Data: []byte("public")},
}
e := New()
g := e.Group("/admin", func(next HandlerFunc) HandlerFunc {
return func(c *Context) error { return c.String(http.StatusForbidden, "denied") }
})
g.GET("/*", func(c *Context) error { return c.String(http.StatusOK, "reached-protected-handler") })
e.StaticFS("/", fsys)
req := httptest.NewRequest(http.MethodGet, tc.target, nil)
rec := httptest.NewRecorder()
e.ServeHTTP(rec, req)
assert.Equal(t, tc.wantCode, rec.Code, "GET %s", tc.target)
if tc.wantBody != "" {
assert.Equal(t, tc.wantBody, rec.Body.String(), "GET %s", tc.target)
}
assert.NotContains(t, rec.Body.String(), "TOP-SECRET", "GET %s leaked protected file", tc.target)
})
}
}
// A Group-mounted StaticFS shares StaticDirectoryHandler, so it must reject the
// same encoded separators when served under a non-root prefix.
func TestGroupStaticFS_EncodedSeparatorDoesNotBypassRoute(t *testing.T) {
var testCases = []struct {
name string
target string
wantCode int
}{
{
name: "ok",
target: "/files/index.html",
wantCode: http.StatusOK,
},
{
name: "nok, encoded slash",
target: "/files/admin%2Fsecret.txt",
wantCode: http.StatusNotFound,
},
{
name: "nok encoded backslash",
target: "/files/admin%5Csecret.txt",
wantCode: http.StatusNotFound,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
fsys := fstest.MapFS{
"admin/secret.txt": {Data: []byte("TOP-SECRET")},
"index.html": {Data: []byte("public")},
}
e := New()
g := e.Group("/files")
g.StaticFS("/", fsys)
req := httptest.NewRequest(http.MethodGet, tc.target, nil)
rec := httptest.NewRecorder()
e.ServeHTTP(rec, req)
assert.Equal(t, tc.wantCode, rec.Code, "GET %s", tc.target)
assert.NotContains(t, rec.Body.String(), "TOP-SECRET", "GET %s leaked protected file", tc.target)
})
}
}