diff options
| author | Jonas Diemer <jonasdiemer@gmail.com> | 2022-08-02 15:40:05 +0000 |
|---|---|---|
| committer | Jonas Diemer <jonasdiemer@gmail.com> | 2022-09-18 18:23:55 +0000 |
| commit | 93bfc372474199367519f0b10820cd0d5b332e66 (patch) | |
| tree | e753ff28867d988d2d6443a11ea98d53eb575859 /tests/upload_files.rs | |
| parent | fixed rendering of upload if non-restricted (diff) | |
| download | miniserve-93bfc372474199367519f0b10820cd0d5b332e66.tar.gz miniserve-93bfc372474199367519f0b10820cd0d5b332e66.zip | |
Test that uploads fail if outside restricted dir
Diffstat (limited to '')
| -rw-r--r-- | tests/upload_files.rs | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/tests/upload_files.rs b/tests/upload_files.rs index 71fcbc4..a7a0a10 100644 --- a/tests/upload_files.rs +++ b/tests/upload_files.rs @@ -80,6 +80,44 @@ fn uploading_files_is_prevented(server: TestServer) -> Result<(), Error> { Ok(()) } +#[rstest] +fn uploading_files_is_restricted( + #[with(&["-u", "--restrict-upload-dir", "someDir"])] server: TestServer +) -> Result<(), Error> { + let test_file_name = "uploaded test file.txt"; + + // Before uploading, check whether the uploaded file does not yet exist. + let body = reqwest::blocking::get(server.url())?.error_for_status()?; + let parsed = Document::from_read(body)?; + assert!(parsed.find(Text).all(|x| x.text() != test_file_name)); + + // Ensure the file upload form is not present + assert!(parsed.find(Attr("id", "file_submit")).next().is_none()); + + // Then try to upload anyway + let form = multipart::Form::new(); + let part = multipart::Part::text("this should not be uploaded") + .file_name(test_file_name) + .mime_str("text/plain")?; + let form = form.part("file_to_upload", part); + + let client = Client::new(); + // Ensure uploading fails and returns an error + assert!(client + .post(server.url().join("/upload?path=/")?) + .multipart(form) + .send()? + .error_for_status() + .is_err()); + + // After uploading, check whether the uploaded file is now getting listed. + let body = reqwest::blocking::get(server.url())?; + let parsed = Document::from_read(body)?; + assert!(!parsed.find(Text).any(|x| x.text() == test_file_name)); + + Ok(()) +} + /// Test for path traversal vulnerability (CWE-22) in both path parameter of query string and in /// file name (Content-Disposition) /// |