-
-
Notifications
You must be signed in to change notification settings - Fork 120
Expand file tree
/
Copy pathFixturePathTraversalTest.php
More file actions
64 lines (50 loc) · 2.55 KB
/
FixturePathTraversalTest.php
File metadata and controls
64 lines (50 loc) · 2.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<?php
declare(strict_types=1);
use Saloon\Helpers\Storage;
use Saloon\Http\Faking\Fixture;
use Saloon\Data\RecordedResponse;
use Saloon\Exceptions\FixtureException;
beforeEach(function () {
$this->fixtureBaseDir = sys_get_temp_dir() . '/saloon_fixture_traversal_' . uniqid('', true);
mkdir($this->fixtureBaseDir, 0777, true);
});
afterEach(function () {
if (isset($this->fixtureBaseDir) && is_dir($this->fixtureBaseDir)) {
array_map('unlink', glob($this->fixtureBaseDir . '/*') ?: []);
rmdir($this->fixtureBaseDir);
}
$escapeWritePath = sys_get_temp_dir() . '/traversal_write_test.json';
if (file_exists($escapeWritePath)) {
unlink($escapeWritePath);
}
$escapeReadPath = sys_get_temp_dir() . '/traversal_read_target.json';
if (file_exists($escapeReadPath)) {
unlink($escapeReadPath);
}
});
test('fixture name with path traversal throws when getting mock response and does not read outside base', function () {
$storage = new Storage($this->fixtureBaseDir, true);
$externalPath = sys_get_temp_dir() . '/traversal_read_target.json';
$secretContent = 'read_from_outside';
file_put_contents($externalPath, json_encode([
'statusCode' => 200,
'headers' => [],
'data' => '{"secret":"' . $secretContent . '"}',
'context' => [],
]));
$traversalName = '..' . DIRECTORY_SEPARATOR . 'traversal_read_target';
$fixture = new Fixture($traversalName, $storage);
expect(fn () => $fixture->getMockResponse())
->toThrow(FixtureException::class, 'The fixture name must not contain directory traversal components or invalid characters. Only alphanumeric characters, hyphens, slashes, and underscores are allowed.');
expect(file_get_contents($externalPath))->toContain($secretContent);
});
test('fixture name with path traversal throws when storing and does not write outside base', function () {
$storage = new Storage($this->fixtureBaseDir, true);
$traversalName = '..' . DIRECTORY_SEPARATOR . 'traversal_write_test';
$fixture = new Fixture($traversalName, $storage);
$recordedResponse = new RecordedResponse(200, [], '{"pwned":true}');
expect(fn () => $fixture->store($recordedResponse))
->toThrow(FixtureException::class, 'The fixture name must not contain directory traversal components or invalid characters. Only alphanumeric characters, hyphens, slashes, and underscores are allowed.');
$escapePath = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'traversal_write_test.json';
expect(file_exists($escapePath))->toBeFalse();
});