avoid path traversal attack

2026-03-21 03:21:36 +01:00 · 2018-11-30 08:11:26 +01:00
parent 0bbe7352c2
commit 53be8b112b
2 changed files with 25 additions and 0 deletions
--- a/scm-core/src/test/java/sonia/scm/repository/InitialRepositoryLocationResolverTest.java
+++ b/scm-core/src/test/java/sonia/scm/repository/InitialRepositoryLocationResolverTest.java
@@ -1,5 +1,6 @@
 package sonia.scm.repository;

+import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
@@ -20,4 +21,20 @@ class InitialRepositoryLocationResolverTest {
    assertThat(path).isRelative();
    assertThat(path.toString()).isEqualTo("repositories" + File.separator + "42");
  }
+
+  @Test
+  void shouldThrowIllegalArgumentExceptionIfIdHasASlash() {
+    InitialRepositoryLocationResolver resolver = new InitialRepositoryLocationResolver();
+    Assertions.assertThrows(IllegalArgumentException.class, () -> {
+      resolver.getPath("../../../passwd");
+    });
+  }
+
+  @Test
+  void shouldThrowIllegalArgumentExceptionIfIdHasABackSlash() {
+    InitialRepositoryLocationResolver resolver = new InitialRepositoryLocationResolver();
+    Assertions.assertThrows(IllegalArgumentException.class, () -> {
+      resolver.getPath("..\\..\\..\\users.ntlm");
+    });
+  }
 }