sjs/agate
1
0
Fork 0
mirror of https://github.com/samsonjs/agate.git synced 2026-04-27 15:07:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

test: add failing tests for percent-encoded hidden-file bypass

Browse source
This commit is contained in:
Sami Samhuri 2026-02-14 22:43:29 +00:00
parent 92093a84ab
commit cda2e102f8
No known key found for this signature in database
1 changed files with 25 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
tests/tests.rs
View file

@ -159,6 +159,12 @@ fn get(args: &[&str], url: &str) -> Result<Response, String> {
response response
} }
fn avoid_default_port_conflict() {
if PORT.load(Ordering::SeqCst) == DEFAULT_PORT {
PORT.store(34000, Ordering::SeqCst);
}
}
#[test] #[test]
/// - serves index page for a directory /// - serves index page for a directory
/// - serves the correct content /// - serves the correct content
@ -435,6 +441,25 @@ fn serve_secret_meta_config_subdir() {
assert_eq!(page.status, Status::Success.value()); assert_eq!(page.status, Status::Success.value());
} }
#[test]
/// - hidden files should stay hidden even when the dot is percent-encoded
fn secret_percent_encoded_dot() {
avoid_default_port_conflict();
let page = get(&[], "gemini://localhost/%2emeta").expect("could not get page");
assert_eq!(page.status, Status::Gone.value());
}
#[test]
/// - hidden subdirectory segments should stay hidden even when dot is encoded
fn secret_subdir_percent_encoded_dot() {
avoid_default_port_conflict();
let page =
get(&["-C"], "gemini://localhost/%2Ewell-known/hidden-file").expect("could not get page");
assert_eq!(page.status, Status::Gone.value());
}
#[test] #[test]
/// - directory traversal attacks using percent-encoded path separators /// - directory traversal attacks using percent-encoded path separators
/// fail (this addresses a previous vulnerability) /// fail (this addresses a previous vulnerability)