MCPcopy
hub / github.com/googleapis/mcp-toolbox / TestGetURLPathValidation

Function TestGetURLPathValidation

internal/tools/http/http_url_test.go:80–177  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

78}
79
80func TestGetURLPathValidation(t *testing.T) {
81 testCases := []struct {
82 name string
83 baseURL string
84 pathParam string
85 expectError bool
86 expectedPath string
87 }{
88 {
89 name: "valid subpath stays within base path",
90 baseURL: "https://api.good.com/base/",
91 pathParam: "v1",
92 expectError: false,
93 expectedPath: "/base/v1",
94 },
95 {
96 name: "path with dot segments is rejected",
97 baseURL: "https://api.good.com/base/",
98 pathParam: "../v1",
99 expectError: true,
100 },
101 {
102 name: "absolute path escaping base path scope is rejected",
103 baseURL: "https://api.good.com/base/",
104 pathParam: "/v1",
105 expectError: true,
106 },
107 {
108 name: "absolute path for root base path is allowed",
109 baseURL: "https://api.good.com/",
110 pathParam: "/v1",
111 expectError: false,
112 expectedPath: "/v1",
113 },
114 {
115 name: "path with url-encoded dot segments is rejected",
116 baseURL: "https://api.good.com/base/",
117 pathParam: "%2e%2e/v1",
118 expectError: true,
119 },
120 {
121 name: "sibling path traversal via simple prefix matching is rejected",
122 baseURL: "https://api.good.com/base",
123 pathParam: "/base-private",
124 expectError: true,
125 },
126 {
127 name: "exact match of base path without trailing slash is allowed",
128 baseURL: "https://api.good.com/base",
129 pathParam: "",
130 expectError: false,
131 expectedPath: "/base",
132 },
133 {
134 name: "double dots in query parameters are allowed",
135 baseURL: "https://api.good.com/base/",
136 pathParam: "v1?date=2023-01-01..2023-01-31",
137 expectError: false,

Callers

nothing calls this directly

Calls 3

NewStringParameterFunction · 0.92
getURLFunction · 0.85
ParseMethod · 0.65

Tested by

no test coverage detected