(t *testing.T)
| 1679 | } |
| 1680 | |
| 1681 | func TestCheckURLPathTraversal(t *testing.T) { |
| 1682 | t.Parallel() |
| 1683 | tests := []struct { |
| 1684 | input string |
| 1685 | wantErr error |
| 1686 | }{ |
| 1687 | {"repos/o/r/contents/file.txt", nil}, |
| 1688 | {"repos/o/r/contents/dir/file.txt", nil}, |
| 1689 | {"repos/o/r/contents/file..txt", nil}, |
| 1690 | {"repos/o/r?q=a..b", nil}, |
| 1691 | {"repos/../admin/users", ErrPathForbidden}, |
| 1692 | {"repos/x/../../../admin", ErrPathForbidden}, |
| 1693 | {"../admin", ErrPathForbidden}, |
| 1694 | {"repos/o/r/contents/..", ErrPathForbidden}, |
| 1695 | {"repos/o/r/contents/../secrets", ErrPathForbidden}, |
| 1696 | // Full URLs with scheme. |
| 1697 | {"https://api.github.com/repos/../admin", ErrPathForbidden}, |
| 1698 | {"https://api.github.com/repos/o/r/contents/file.txt", nil}, |
| 1699 | {"https://api.github.com/repos/o/r/contents/file..txt", nil}, |
| 1700 | // URL with fragment. |
| 1701 | {"repos/o/r/contents/file.txt#section", nil}, |
| 1702 | {"repos/../admin#frag", ErrPathForbidden}, |
| 1703 | // URL with userinfo. |
| 1704 | {"https://user:pass@api.github.com/repos/../admin", ErrPathForbidden}, |
| 1705 | {"https://user:pass@api.github.com/repos/o/r", nil}, |
| 1706 | } |
| 1707 | for _, tt := range tests { |
| 1708 | err := checkURLPathTraversal(tt.input) |
| 1709 | if !errors.Is(err, tt.wantErr) { |
| 1710 | t.Errorf("checkURLPathTraversal(%q) = %v, want %v", tt.input, err, tt.wantErr) |
| 1711 | } |
| 1712 | } |
| 1713 | } |
| 1714 | |
| 1715 | func TestNewRequest_pathTraversal(t *testing.T) { |
| 1716 | t.Parallel() |
nothing calls this directly
no test coverage detected
searching dependent graphs…