From fdd70f4238cc4ef2ccfc6d7921b23ff474ac0777 Mon Sep 17 00:00:00 2001
From: Sven-Hendrik Haase <svenstaro@gmail.com>
Date: Sun, 7 Mar 2021 02:38:04 +0100
Subject: Fix DoS issue when deliberately sending unconforming URL paths

---
 tests/navigation.rs | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'tests/navigation.rs')

diff --git a/tests/navigation.rs b/tests/navigation.rs
index 0826aa0..3d8f37f 100644
--- a/tests/navigation.rs
+++ b/tests/navigation.rs
@@ -35,6 +35,36 @@ fn index_gets_trailing_slash(tmpdir: TempDir, port: u16) -> Result<(), Error> {
     Ok(())
 }
 
+#[rstest]
+/// Can't navigate up the root.
+fn cant_navigate_up_the_root(tmpdir: TempDir, port: u16) -> Result<(), Error> {
+    let mut child = Command::cargo_bin("miniserve")?
+        .arg("-p")
+        .arg(port.to_string())
+        .arg(tmpdir.path())
+        .stdout(Stdio::null())
+        .spawn()?;
+
+    sleep(Duration::from_secs(1));
+
+    // We're using curl for this as it has the option `--path-as-is` which doesn't normalize
+    // invalid urls. A useful feature in this particular case.
+    let base_url = Url::parse(&format!("http://localhost:{}", port))?;
+    let curl_successful = Command::new("curl")
+        .arg("-s")
+        .arg("--fail")
+        .arg("--path-as-is")
+        .arg(format!("{}/../", base_url))
+        .stdout(Stdio::null())
+        .status()?
+        .success();
+    assert!(curl_successful);
+
+    child.kill()?;
+
+    Ok(())
+}
+
 #[rstest]
 /// We can navigate into directories and back using shown links.
 fn can_navigate_into_dirs_and_back(tmpdir: TempDir, port: u16) -> Result<(), Error> {
-- 
cgit v1.2.3