diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/api.rs | 53 | ||||
| -rw-r--r-- | tests/serve_request.rs | 3 |
2 files changed, 56 insertions, 0 deletions
diff --git a/tests/api.rs b/tests/api.rs new file mode 100644 index 0000000..32d6cef --- /dev/null +++ b/tests/api.rs @@ -0,0 +1,53 @@ +use std::collections::HashMap; + +use reqwest::{StatusCode, blocking::Client}; +use rstest::rstest; + +mod fixtures; + +use crate::fixtures::{DIRECTORIES, Error, TestServer, server}; + +#[rstest] +fn api_dir_size(server: TestServer) -> Result<(), Error> { + let mut command = HashMap::new(); + command.insert("DirSize", DIRECTORIES[0]); + + let resp = Client::new() + .post(server.url().join(&format!("__miniserve_internal/api"))?) + .json(&command) + .send()? + .error_for_status()?; + + assert_eq!(resp.status(), StatusCode::OK); + assert_ne!(resp.text()?, "0 B"); + + Ok(()) +} + +/// Test for path traversal vulnerability (CWE-22) in DirSize parameter. +#[rstest] +#[case("/tmp")] // Not CWE-22, but `foo` isn't a directory +#[case("/../foo")] +#[case("../foo")] +#[case("../tmp")] +#[case("/tmp")] +#[case("/foo")] +#[case("C:/foo")] +#[case(r"C:\foo")] +#[case(r"\foo")] +fn api_dir_size_prevent_path_transversal_attacks( + server: TestServer, + #[case] path: &str, +) -> Result<(), Error> { + let mut command = HashMap::new(); + command.insert("DirSize", path); + + let resp = Client::new() + .post(server.url().join(&format!("__miniserve_internal/api"))?) + .json(&command) + .send()?; + + assert_eq!(resp.status(), StatusCode::BAD_REQUEST); + + Ok(()) +} diff --git a/tests/serve_request.rs b/tests/serve_request.rs index d9d4880..36bdbe5 100644 --- a/tests/serve_request.rs +++ b/tests/serve_request.rs @@ -86,6 +86,9 @@ fn serves_requests_with_non_default_port(server: TestServer) -> Result<(), Error #[case("__miniserve_internal/healthcheck", server(&["--random-route"]))] #[case("__miniserve_internal/favicon.svg", server(&["--random-route"]))] #[case("__miniserve_internal/style.css", server(&["--random-route"]))] +#[case("__miniserve_internal/healthcheck", server(&["--auth", "doesnt:matter"]))] +#[case("__miniserve_internal/favicon.svg", server(&["--auth", "doesnt:matter"]))] +#[case("__miniserve_internal/style.css", server(&["--auth", "doesnt:matter"]))] fn serves_requests_for_special_routes( #[case] route: &str, #[case] server: TestServer, |