1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
use std::collections::HashMap;
use reqwest::{StatusCode, blocking::Client};
use rstest::rstest;
mod fixtures;
use crate::fixtures::{DIRECTORIES, Error, TestServer, server};
#[rstest]
fn api_dir_size(server: TestServer) -> Result<(), Error> {
let mut command = HashMap::new();
command.insert("DirSize", DIRECTORIES[0]);
let resp = Client::new()
.post(server.url().join(&format!("__miniserve_internal/api"))?)
.json(&command)
.send()?
.error_for_status()?;
assert_eq!(resp.status(), StatusCode::OK);
assert_ne!(resp.text()?, "0 B");
Ok(())
}
/// Test for path traversal vulnerability (CWE-22) in DirSize parameter.
#[rstest]
#[case("/tmp")] // Not CWE-22, but `foo` isn't a directory
#[case("/../foo")]
#[case("../foo")]
#[case("../tmp")]
#[case("/tmp")]
#[case("/foo")]
#[case("C:/foo")]
#[case(r"C:\foo")]
#[case(r"\foo")]
fn api_dir_size_prevent_path_transversal_attacks(
server: TestServer,
#[case] path: &str,
) -> Result<(), Error> {
let mut command = HashMap::new();
command.insert("DirSize", path);
let resp = Client::new()
.post(server.url().join(&format!("__miniserve_internal/api"))?)
.json(&command)
.send()?;
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
Ok(())
}
|
