test: add failing tests for percent-encoded hidden-file bypass

2026-03-25 09:05:50 +00:00 · 2026-02-14 22:43:29 +00:00 · 2026-02-14 22:43:29 +00:00 · cda2e102f8
commit cda2e102f8
parent 92093a84ab
1 changed files with 25 additions and 0 deletions
--- a/tests/tests.rs
+++ b/tests/tests.rs
@ -159,6 +159,12 @@ fn get(args: &[&str], url: &str) -> Result<Response, String> {
    response
 }

+fn avoid_default_port_conflict() {
+    if PORT.load(Ordering::SeqCst) == DEFAULT_PORT {
+        PORT.store(34000, Ordering::SeqCst);
+    }
+}
+
 #[test]
 /// - serves index page for a directory
 /// - serves the correct content
@ -435,6 +441,25 @@ fn serve_secret_meta_config_subdir() {
    assert_eq!(page.status, Status::Success.value());
 }

+#[test]
+/// - hidden files should stay hidden even when the dot is percent-encoded
+fn secret_percent_encoded_dot() {
+    avoid_default_port_conflict();
+    let page = get(&[], "gemini://localhost/%2emeta").expect("could not get page");
+
+    assert_eq!(page.status, Status::Gone.value());
+}
+
+#[test]
+/// - hidden subdirectory segments should stay hidden even when dot is encoded
+fn secret_subdir_percent_encoded_dot() {
+    avoid_default_port_conflict();
+    let page =
+        get(&["-C"], "gemini://localhost/%2Ewell-known/hidden-file").expect("could not get page");
+
+    assert_eq!(page.status, Status::Gone.value());
+}
+
 #[test]
 /// - directory traversal attacks using percent-encoded path separators
 ///   fail (this addresses a previous vulnerability)