diff --git a/src/media/server.test.ts b/src/media/server.test.ts index b67c3a26cf..1166542b2a 100644 --- a/src/media/server.test.ts +++ b/src/media/server.test.ts @@ -66,27 +66,31 @@ describe("media server", () => { await expect(fs.stat(file)).rejects.toThrow(); }); - it("blocks path traversal attempts", async () => { - // URL-encoded "../" to bypass client-side path normalization - const res = await fetch(`http://127.0.0.1:${port}/media/%2e%2e%2fpackage.json`); - expect(res.status).toBe(400); - expect(await res.text()).toBe("invalid path"); - }); - - it("blocks symlink escaping outside media dir", async () => { - const target = path.join(process.cwd(), "package.json"); // outside MEDIA_DIR - const link = path.join(MEDIA_DIR, "link-out"); - await fs.symlink(target, link); - - const res = await fetch(`http://127.0.0.1:${port}/media/link-out`); - expect(res.status).toBe(400); - expect(await res.text()).toBe("invalid path"); - }); - - it("rejects invalid media ids", async () => { - const file = path.join(MEDIA_DIR, "file2"); - await fs.writeFile(file, "hello"); - const res = await fetch(`http://127.0.0.1:${port}/media/invalid%20id`); + it.each([ + { + testName: "blocks path traversal attempts", + mediaPath: "%2e%2e%2fpackage.json", + }, + { + testName: "rejects invalid media ids", + mediaPath: "invalid%20id", + setup: async () => { + const file = path.join(MEDIA_DIR, "file2"); + await fs.writeFile(file, "hello"); + }, + }, + { + testName: "blocks symlink escaping outside media dir", + mediaPath: "link-out", + setup: async () => { + const target = path.join(process.cwd(), "package.json"); // outside MEDIA_DIR + const link = path.join(MEDIA_DIR, "link-out"); + await fs.symlink(target, link); + }, + }, + ] as const)("$testName", async (testCase) => { + await testCase.setup?.(); + const res = await fetch(`http://127.0.0.1:${port}/media/${testCase.mediaPath}`); expect(res.status).toBe(400); expect(await res.text()).toBe("invalid path"); });