test: merge media invalid-path scenarios

This commit is contained in:
Peter Steinberger
2026-02-18 23:28:53 +00:00
parent 6f3a6013e3
commit 20849df702

View File

@@ -66,27 +66,31 @@ describe("media server", () => {
await expect(fs.stat(file)).rejects.toThrow();
});
it("blocks path traversal attempts", async () => {
// URL-encoded "../" to bypass client-side path normalization
const res = await fetch(`http://127.0.0.1:${port}/media/%2e%2e%2fpackage.json`);
expect(res.status).toBe(400);
expect(await res.text()).toBe("invalid path");
});
it("blocks symlink escaping outside media dir", async () => {
const target = path.join(process.cwd(), "package.json"); // outside MEDIA_DIR
const link = path.join(MEDIA_DIR, "link-out");
await fs.symlink(target, link);
const res = await fetch(`http://127.0.0.1:${port}/media/link-out`);
expect(res.status).toBe(400);
expect(await res.text()).toBe("invalid path");
});
it("rejects invalid media ids", async () => {
const file = path.join(MEDIA_DIR, "file2");
await fs.writeFile(file, "hello");
const res = await fetch(`http://127.0.0.1:${port}/media/invalid%20id`);
it.each([
{
testName: "blocks path traversal attempts",
mediaPath: "%2e%2e%2fpackage.json",
},
{
testName: "rejects invalid media ids",
mediaPath: "invalid%20id",
setup: async () => {
const file = path.join(MEDIA_DIR, "file2");
await fs.writeFile(file, "hello");
},
},
{
testName: "blocks symlink escaping outside media dir",
mediaPath: "link-out",
setup: async () => {
const target = path.join(process.cwd(), "package.json"); // outside MEDIA_DIR
const link = path.join(MEDIA_DIR, "link-out");
await fs.symlink(target, link);
},
},
] as const)("$testName", async (testCase) => {
await testCase.setup?.();
const res = await fetch(`http://127.0.0.1:${port}/media/${testCase.mediaPath}`);
expect(res.status).toBe(400);
expect(await res.text()).toBe("invalid path");
});