| 360 | } |
| 361 | |
| 362 | func TestStaticDirectoryHandlerAndRouterInconsistentEscaping(t *testing.T) { |
| 363 | var testCases = []struct { |
| 364 | name string |
| 365 | givenEnablePathUnescapingStaticFiles bool |
| 366 | givenRouterUnescapePathParamValues bool |
| 367 | givenRouterUseEscapedPathForMatching bool |
| 368 | whenURL string |
| 369 | expectBody string |
| 370 | expectStatus int |
| 371 | }{ |
| 372 | { |
| 373 | name: "ok, file is served from not-forbidden path", |
| 374 | givenEnablePathUnescapingStaticFiles: false, |
| 375 | whenURL: "/test.txt", |
| 376 | expectBody: "test.txt contents", |
| 377 | expectStatus: http.StatusOK, |
| 378 | }, |
| 379 | { |
| 380 | name: "ok, forbidden path is matched by route wildcard and forbidden by that", |
| 381 | givenEnablePathUnescapingStaticFiles: false, |
| 382 | whenURL: "/admin/private.txt", |
| 383 | expectBody: "{\"message\":\"Forbidden\"}", |
| 384 | expectStatus: http.StatusForbidden, |
| 385 | }, |
| 386 | { |
| 387 | name: "ok, escaped filename from forbidden path is routed to guarded route", |
| 388 | givenEnablePathUnescapingStaticFiles: false, |
| 389 | givenRouterUnescapePathParamValues: false, |
| 390 | givenRouterUseEscapedPathForMatching: true, // Router uses escaped path (req.URL.RawPath) for matching |
| 391 | whenURL: "/admin%2fprivate.txt", |
| 392 | expectBody: "{\"message\":\"Forbidden\"}", |
| 393 | expectStatus: http.StatusForbidden, |
| 394 | }, |
| 395 | { |
| 396 | name: "ok, escaped filename from forbidden path is not unescaped and results 404", |
| 397 | givenEnablePathUnescapingStaticFiles: false, // router path escaping and StaticDirectoryHandler is consistent |
| 398 | whenURL: "/admin%2fprivate.txt", |
| 399 | expectBody: "{\"message\":\"Not Found\"}", |
| 400 | expectStatus: http.StatusNotFound, |
| 401 | }, |
| 402 | { |
| 403 | name: "nok, escaped filename from forbidden path is unescaped and returns file contents (handler unescapes)", |
| 404 | givenEnablePathUnescapingStaticFiles: true, // router path escaping and StaticDirectoryHandler is NOT consistent |
| 405 | givenRouterUnescapePathParamValues: false, |
| 406 | whenURL: "/admin%2fprivate.txt", |
| 407 | expectBody: "public/admin/private.txt - private file", |
| 408 | expectStatus: http.StatusOK, |
| 409 | }, |
| 410 | { |
| 411 | name: "nok, escaped filename from forbidden path is unescaped and returns file contents (router unescapes)", |
| 412 | givenEnablePathUnescapingStaticFiles: false, |
| 413 | givenRouterUnescapePathParamValues: true, // router path escaping and StaticDirectoryHandler is NOT consistent |
| 414 | whenURL: "/admin%2fprivate.txt", |
| 415 | expectBody: "public/admin/private.txt - private file", |
| 416 | expectStatus: http.StatusOK, |
| 417 | }, |
| 418 | { |
| 419 | name: "nok, unescaped filename from forbidden path is escaped and returns file contents (router unescapes and method unescapes)", |