Add Test

UncannyBingo · Oct 5, 2018 · e27e967 · e27e967
1 parent a26baea
commit e27e967
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/luna/router.cpp b/luna/router.cpp
@@ -62,10 +62,15 @@ void router::handle_request(request_method method,
                                                     validations));
 }
 
+void router::sanitize_path(std::string& path_to_files) 
+{
+    std::regex parent_dir_pattern("([.][.])+");
+    path_to_files = std::regex_replace(path_to_files, parent_dir_pattern, "");
+}
+
 void router::serve_files(std::string mount_point, std::string path_to_files)
 {   
-    std::regex parent_dir_pattern("(../)+");
-    path_to_files = std::regex_replace(path_to_files, parent_dir_pattern, "");
+    router::sanitize_path(path_to_files);
 
     std::regex route{mount_point + "(.*)"};
     std::string local_path{path_to_files + "/"};

diff --git a/luna/router.h b/luna/router.h
@@ -43,6 +43,8 @@ class router
                         endpoint_handler_cb callback,
                         parameter::validators validations = {});
 
+    void sanitize_path(std::string& path_to_files);
+
     void serve_files(std::string mount_point, std::string path_to_files);
 
     void add_header(std::string &&key, std::string &&value);

diff --git a/tests/file_service.cpp b/tests/file_service.cpp
@@ -34,6 +34,24 @@ TEST(file_service, serve_file_404)
     ASSERT_EQ(404, res.status_code);
 }
 
+
+TEST(file_service, serve_file_malicious)
+{
+    luna::server server;
+    auto router = server.create_router("/");
+
+    std::string path {"../../etc/passwd"};
+    router->sanitize_path(path);
+
+    // check if the path was striped of ".." occurences
+    ASSERT_TRUE(path == "//etc/passwd");
+
+    // check if path was unchanged
+    path = "foo/bar/test.txt";
+    router->sanitize_path(path);
+    ASSERT_TRUE(path == "foo/bar/test.txt");
+}
+
 TEST(file_service, serve_text_file)
 {
     std::string path{STATIC_ASSET_PATH};