mirror of
https://github.com/actix/actix-web.git
synced 2024-11-22 17:41:11 +00:00
26 lines
904 B
Rust
26 lines
904 B
Rust
use actix_files::Files;
|
|
use actix_web::{
|
|
http::StatusCode,
|
|
test::{self, TestRequest},
|
|
App,
|
|
};
|
|
|
|
#[actix_rt::test]
|
|
async fn test_directory_traversal_prevention() {
|
|
let srv = test::init_service(App::new().service(Files::new("/", "./tests"))).await;
|
|
|
|
let req = TestRequest::with_uri("/../../../../../../../../../../../etc/passwd").to_request();
|
|
let res = test::call_service(&srv, req).await;
|
|
assert_eq!(res.status(), StatusCode::NOT_FOUND);
|
|
|
|
let req = TestRequest::with_uri(
|
|
"/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd",
|
|
)
|
|
.to_request();
|
|
let res = test::call_service(&srv, req).await;
|
|
assert_eq!(res.status(), StatusCode::NOT_FOUND);
|
|
|
|
let req = TestRequest::with_uri("/%00/etc/passwd%00").to_request();
|
|
let res = test::call_service(&srv, req).await;
|
|
assert_eq!(res.status(), StatusCode::NOT_FOUND);
|
|
}
|