(t *testing.T)
| 78 | } |
| 79 | |
| 80 | func TestGetURLPathValidation(t *testing.T) { |
| 81 | testCases := []struct { |
| 82 | name string |
| 83 | baseURL string |
| 84 | pathParam string |
| 85 | expectError bool |
| 86 | expectedPath string |
| 87 | }{ |
| 88 | { |
| 89 | name: "valid subpath stays within base path", |
| 90 | baseURL: "https://api.good.com/base/", |
| 91 | pathParam: "v1", |
| 92 | expectError: false, |
| 93 | expectedPath: "/base/v1", |
| 94 | }, |
| 95 | { |
| 96 | name: "path with dot segments is rejected", |
| 97 | baseURL: "https://api.good.com/base/", |
| 98 | pathParam: "../v1", |
| 99 | expectError: true, |
| 100 | }, |
| 101 | { |
| 102 | name: "absolute path escaping base path scope is rejected", |
| 103 | baseURL: "https://api.good.com/base/", |
| 104 | pathParam: "/v1", |
| 105 | expectError: true, |
| 106 | }, |
| 107 | { |
| 108 | name: "absolute path for root base path is allowed", |
| 109 | baseURL: "https://api.good.com/", |
| 110 | pathParam: "/v1", |
| 111 | expectError: false, |
| 112 | expectedPath: "/v1", |
| 113 | }, |
| 114 | { |
| 115 | name: "path with url-encoded dot segments is rejected", |
| 116 | baseURL: "https://api.good.com/base/", |
| 117 | pathParam: "%2e%2e/v1", |
| 118 | expectError: true, |
| 119 | }, |
| 120 | { |
| 121 | name: "sibling path traversal via simple prefix matching is rejected", |
| 122 | baseURL: "https://api.good.com/base", |
| 123 | pathParam: "/base-private", |
| 124 | expectError: true, |
| 125 | }, |
| 126 | { |
| 127 | name: "exact match of base path without trailing slash is allowed", |
| 128 | baseURL: "https://api.good.com/base", |
| 129 | pathParam: "", |
| 130 | expectError: false, |
| 131 | expectedPath: "/base", |
| 132 | }, |
| 133 | { |
| 134 | name: "double dots in query parameters are allowed", |
| 135 | baseURL: "https://api.good.com/base/", |
| 136 | pathParam: "v1?date=2023-01-01..2023-01-31", |
| 137 | expectError: false, |
nothing calls this directly
no test coverage detected