From cda2e102f8ff2428793598daf4f5d686697bf878 Mon Sep 17 00:00:00 2001
From: Sami Samhuri <sami@samhuri.net>
Date: Sat, 14 Feb 2026 22:43:29 +0000
Subject: [PATCH] test: add failing tests for percent-encoded hidden-file
 bypass

---
 tests/tests.rs | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/tests/tests.rs b/tests/tests.rs
index 64e964d..9cfc7d5 100644
--- a/tests/tests.rs
+++ b/tests/tests.rs
@@ -159,6 +159,12 @@ fn get(args: &[&str], url: &str) -> Result<Response, String> {
     response
 }
 
+fn avoid_default_port_conflict() {
+    if PORT.load(Ordering::SeqCst) == DEFAULT_PORT {
+        PORT.store(34000, Ordering::SeqCst);
+    }
+}
+
 #[test]
 /// - serves index page for a directory
 /// - serves the correct content
@@ -435,6 +441,25 @@ fn serve_secret_meta_config_subdir() {
     assert_eq!(page.status, Status::Success.value());
 }
 
+#[test]
+/// - hidden files should stay hidden even when the dot is percent-encoded
+fn secret_percent_encoded_dot() {
+    avoid_default_port_conflict();
+    let page = get(&[], "gemini://localhost/%2emeta").expect("could not get page");
+
+    assert_eq!(page.status, Status::Gone.value());
+}
+
+#[test]
+/// - hidden subdirectory segments should stay hidden even when dot is encoded
+fn secret_subdir_percent_encoded_dot() {
+    avoid_default_port_conflict();
+    let page =
+        get(&["-C"], "gemini://localhost/%2Ewell-known/hidden-file").expect("could not get page");
+
+    assert_eq!(page.status, Status::Gone.value());
+}
+
 #[test]
 /// - directory traversal attacks using percent-encoded path separators
 ///   fail (this addresses a previous vulnerability)