diff options
| author | Sven-Hendrik Haase <svenstaro@gmail.com> | 2025-03-07 10:00:48 +0000 |
|---|---|---|
| committer | Sven-Hendrik Haase <svenstaro@gmail.com> | 2025-03-07 11:14:03 +0000 |
| commit | 11ea8a19d1481b0660e5a2765da6e67d3e8aa72c (patch) | |
| tree | 341cb7ac4bd5915deb8fe58947b3cc352687556d /tests | |
| parent | Reformat style.scss (diff) | |
| download | miniserve-11ea8a19d1481b0660e5a2765da6e67d3e8aa72c.tar.gz miniserve-11ea8a19d1481b0660e5a2765da6e67d3e8aa72c.zip | |
Add asynchronous directory size counting
This is enabled by default and without an option to toggle it off as it's asynchronous and shouldn't
block the server thread.
Diffstat (limited to '')
| -rw-r--r-- | tests/api.rs | 53 | ||||
| -rw-r--r-- | tests/serve_request.rs | 3 |
2 files changed, 56 insertions, 0 deletions
diff --git a/tests/api.rs b/tests/api.rs new file mode 100644 index 0000000..32d6cef --- /dev/null +++ b/tests/api.rs @@ -0,0 +1,53 @@ +use std::collections::HashMap; + +use reqwest::{StatusCode, blocking::Client}; +use rstest::rstest; + +mod fixtures; + +use crate::fixtures::{DIRECTORIES, Error, TestServer, server}; + +#[rstest] +fn api_dir_size(server: TestServer) -> Result<(), Error> { + let mut command = HashMap::new(); + command.insert("DirSize", DIRECTORIES[0]); + + let resp = Client::new() + .post(server.url().join(&format!("__miniserve_internal/api"))?) + .json(&command) + .send()? + .error_for_status()?; + + assert_eq!(resp.status(), StatusCode::OK); + assert_ne!(resp.text()?, "0 B"); + + Ok(()) +} + +/// Test for path traversal vulnerability (CWE-22) in DirSize parameter. +#[rstest] +#[case("/tmp")] // Not CWE-22, but `foo` isn't a directory +#[case("/../foo")] +#[case("../foo")] +#[case("../tmp")] +#[case("/tmp")] +#[case("/foo")] +#[case("C:/foo")] +#[case(r"C:\foo")] +#[case(r"\foo")] +fn api_dir_size_prevent_path_transversal_attacks( + server: TestServer, + #[case] path: &str, +) -> Result<(), Error> { + let mut command = HashMap::new(); + command.insert("DirSize", path); + + let resp = Client::new() + .post(server.url().join(&format!("__miniserve_internal/api"))?) + .json(&command) + .send()?; + + assert_eq!(resp.status(), StatusCode::BAD_REQUEST); + + Ok(()) +} diff --git a/tests/serve_request.rs b/tests/serve_request.rs index d9d4880..36bdbe5 100644 --- a/tests/serve_request.rs +++ b/tests/serve_request.rs @@ -86,6 +86,9 @@ fn serves_requests_with_non_default_port(server: TestServer) -> Result<(), Error #[case("__miniserve_internal/healthcheck", server(&["--random-route"]))] #[case("__miniserve_internal/favicon.svg", server(&["--random-route"]))] #[case("__miniserve_internal/style.css", server(&["--random-route"]))] +#[case("__miniserve_internal/healthcheck", server(&["--auth", "doesnt:matter"]))] +#[case("__miniserve_internal/favicon.svg", server(&["--auth", "doesnt:matter"]))] +#[case("__miniserve_internal/style.css", server(&["--auth", "doesnt:matter"]))] fn serves_requests_for_special_routes( #[case] route: &str, #[case] server: TestServer, |