diff options
| author | Sven-Hendrik Haase <svenstaro@gmail.com> | 2025-03-07 11:38:10 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-03-07 11:38:10 +0000 |
| commit | 419204c291273e073cb4e1049655bea848dbc441 (patch) | |
| tree | 341cb7ac4bd5915deb8fe58947b3cc352687556d /tests | |
| parent | Reformat style.scss (diff) | |
| parent | Add asynchronous directory size counting (diff) | |
| download | miniserve-419204c291273e073cb4e1049655bea848dbc441.tar.gz miniserve-419204c291273e073cb4e1049655bea848dbc441.zip | |
Merge pull request #1482 from svenstaro/add-asynchronous-directory-size-loading
Add asynchronous directory size counting
Diffstat (limited to '')
| -rw-r--r-- | tests/api.rs | 53 | ||||
| -rw-r--r-- | tests/serve_request.rs | 3 |
2 files changed, 56 insertions, 0 deletions
diff --git a/tests/api.rs b/tests/api.rs new file mode 100644 index 0000000..32d6cef --- /dev/null +++ b/tests/api.rs @@ -0,0 +1,53 @@ +use std::collections::HashMap; + +use reqwest::{StatusCode, blocking::Client}; +use rstest::rstest; + +mod fixtures; + +use crate::fixtures::{DIRECTORIES, Error, TestServer, server}; + +#[rstest] +fn api_dir_size(server: TestServer) -> Result<(), Error> { + let mut command = HashMap::new(); + command.insert("DirSize", DIRECTORIES[0]); + + let resp = Client::new() + .post(server.url().join(&format!("__miniserve_internal/api"))?) + .json(&command) + .send()? + .error_for_status()?; + + assert_eq!(resp.status(), StatusCode::OK); + assert_ne!(resp.text()?, "0 B"); + + Ok(()) +} + +/// Test for path traversal vulnerability (CWE-22) in DirSize parameter. +#[rstest] +#[case("/tmp")] // Not CWE-22, but `foo` isn't a directory +#[case("/../foo")] +#[case("../foo")] +#[case("../tmp")] +#[case("/tmp")] +#[case("/foo")] +#[case("C:/foo")] +#[case(r"C:\foo")] +#[case(r"\foo")] +fn api_dir_size_prevent_path_transversal_attacks( + server: TestServer, + #[case] path: &str, +) -> Result<(), Error> { + let mut command = HashMap::new(); + command.insert("DirSize", path); + + let resp = Client::new() + .post(server.url().join(&format!("__miniserve_internal/api"))?) + .json(&command) + .send()?; + + assert_eq!(resp.status(), StatusCode::BAD_REQUEST); + + Ok(()) +} diff --git a/tests/serve_request.rs b/tests/serve_request.rs index d9d4880..36bdbe5 100644 --- a/tests/serve_request.rs +++ b/tests/serve_request.rs @@ -86,6 +86,9 @@ fn serves_requests_with_non_default_port(server: TestServer) -> Result<(), Error #[case("__miniserve_internal/healthcheck", server(&["--random-route"]))] #[case("__miniserve_internal/favicon.svg", server(&["--random-route"]))] #[case("__miniserve_internal/style.css", server(&["--random-route"]))] +#[case("__miniserve_internal/healthcheck", server(&["--auth", "doesnt:matter"]))] +#[case("__miniserve_internal/favicon.svg", server(&["--auth", "doesnt:matter"]))] +#[case("__miniserve_internal/style.css", server(&["--auth", "doesnt:matter"]))] fn serves_requests_for_special_routes( #[case] route: &str, #[case] server: TestServer, |