From e27e9670d5c3bab53a271bdb71926fb2ba7b6300 Mon Sep 17 00:00:00 2001 From: ahamirwasia Date: Thu, 4 Oct 2018 22:40:04 -0700 Subject: [PATCH] Add Test --- luna/router.cpp | 9 +++++++-- luna/router.h | 2 ++ tests/file_service.cpp | 18 ++++++++++++++++++ 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/luna/router.cpp b/luna/router.cpp index cf67ef6..3ab7526 100644 --- a/luna/router.cpp +++ b/luna/router.cpp @@ -62,10 +62,15 @@ void router::handle_request(request_method method, validations)); } +void router::sanitize_path(std::string& path_to_files) +{ + std::regex parent_dir_pattern("([.][.])+"); + path_to_files = std::regex_replace(path_to_files, parent_dir_pattern, ""); +} + void router::serve_files(std::string mount_point, std::string path_to_files) { - std::regex parent_dir_pattern("(../)+"); - path_to_files = std::regex_replace(path_to_files, parent_dir_pattern, ""); + router::sanitize_path(path_to_files); std::regex route{mount_point + "(.*)"}; std::string local_path{path_to_files + "/"}; diff --git a/luna/router.h b/luna/router.h index fd70906..f0e996e 100644 --- a/luna/router.h +++ b/luna/router.h @@ -43,6 +43,8 @@ class router endpoint_handler_cb callback, parameter::validators validations = {}); + void sanitize_path(std::string& path_to_files); + void serve_files(std::string mount_point, std::string path_to_files); void add_header(std::string &&key, std::string &&value); diff --git a/tests/file_service.cpp b/tests/file_service.cpp index 478666c..45aa131 100644 --- a/tests/file_service.cpp +++ b/tests/file_service.cpp @@ -34,6 +34,24 @@ TEST(file_service, serve_file_404) ASSERT_EQ(404, res.status_code); } + +TEST(file_service, serve_file_malicious) +{ + luna::server server; + auto router = server.create_router("/"); + + std::string path {"../../etc/passwd"}; + router->sanitize_path(path); + + // check if the path was striped of ".." occurences + ASSERT_TRUE(path == "//etc/passwd"); + + // check if path was unchanged + path = "foo/bar/test.txt"; + router->sanitize_path(path); + ASSERT_TRUE(path == "foo/bar/test.txt"); +} + TEST(file_service, serve_text_file) { std::string path{STATIC_ASSET_PATH};