TestSplitPosSecurityRegressionUnicodeBypass guards against GHSA-3g8v-8r37-cgjm (uninitialized match flag on inner non-ASCII byte) and GHSA-v4h7-cj44-8fc8 (Unicode equivalence via search.IgnoreCase letting non-PHP files be picked up as the script). Every payload below produced a false positive in the
(t *testing.T)
| 276 | // non-PHP files be picked up as the script). Every payload below produced a |
| 277 | // false positive in the vulnerable implementation; none must match here. |
| 278 | func TestSplitPosSecurityRegressionUnicodeBypass(t *testing.T) { |
| 279 | t.Parallel() |
| 280 | |
| 281 | split := []string{".php"} |
| 282 | payloads := []string{ |
| 283 | "/PoC-match-unset.¡.txt", // GHSA-3g8v: match left set after IndexString fallback returned -1 |
| 284 | "/shell﹒php", // U+FE52 small full stop |
| 285 | "/shell.php", // U+FF0E fullwidth full stop |
| 286 | "/shell.php", // U+FF50 fullwidth p |
| 287 | "/shell.php", // U+FF48 fullwidth h |
| 288 | "/shell.php", // U+FF50 fullwidth p (trailing) |
| 289 | "/shell.\U0001D5C1\U0001D5B5\U0001D5C1", // mathematical sans-serif p/h |
| 290 | "/shell.\U0001D5FD\U0001D5F5\U0001D5FD", // mathematical sans-serif bold p/h |
| 291 | "/shell.\U0001D4C5\U0001D4BD\U0001D4C5", // mathematical script p/h |
| 292 | "/shell.ⓟⓗⓟ", // circled latin small |
| 293 | } |
| 294 | |
| 295 | for _, p := range payloads { |
| 296 | assert.Equalf(t, -1, splitPos(p, split), "payload %q must not be detected as .php", p) |
| 297 | } |
| 298 | } |
nothing calls this directly
no test coverage detected