FuzzValidatePathTraversal specifically targets path traversal bypasses
(f *testing.F)
| 131 | |
| 132 | // FuzzValidatePathTraversal specifically targets path traversal bypasses |
| 133 | func FuzzValidatePathTraversal(f *testing.F) { |
| 134 | // Seed corpus focusing on path traversal variations |
| 135 | f.Add("..", "/", "") |
| 136 | f.Add("", "..", "/") |
| 137 | f.Add("a", "b", "c") |
| 138 | |
| 139 | f.Fuzz(func(t *testing.T, prefix string, middle string, suffix string) { |
| 140 | // Construct various path traversal attempts |
| 141 | inputs := []string{ |
| 142 | prefix + ".." + suffix, |
| 143 | prefix + "/.." + suffix, |
| 144 | prefix + "\\.." + suffix, |
| 145 | prefix + middle + ".." + suffix, |
| 146 | prefix + "../" + middle + suffix, |
| 147 | prefix + "..%2f" + suffix, |
| 148 | prefix + "%2e%2e" + suffix, |
| 149 | prefix + "%2e%2e%2f" + suffix, |
| 150 | } |
| 151 | |
| 152 | for _, input := range inputs { |
| 153 | func() { |
| 154 | defer func() { |
| 155 | if r := recover(); r != nil { |
| 156 | t.Errorf("Validate panicked with constructed input %q: %v", input, r) |
| 157 | } |
| 158 | }() |
| 159 | |
| 160 | err := Validate(input) |
| 161 | |
| 162 | // If the input contains literal "..", it must be rejected |
| 163 | if strings.Contains(input, "..") && err == nil { |
| 164 | t.Errorf("validation incorrectly passed for input containing '..': %q", input) |
| 165 | } |
| 166 | }() |
| 167 | } |
| 168 | }) |
| 169 | } |
nothing calls this directly
no test coverage detected