TestPathPrefix tests that the provided path prefix is normalized correctly. If a leading '/' is missing, one should be added. If multiple leading '/' are present, they should be collapsed to one. Additionally verify that this prevents open redirects when enforcing the path prefix.
(t *testing.T)
| 1060 | // If multiple leading '/' are present, they should be collapsed to one. |
| 1061 | // Additionally verify that this prevents open redirects when enforcing the path prefix. |
| 1062 | func TestPathPrefix(t *testing.T) { |
| 1063 | tests := []struct { |
| 1064 | name string |
| 1065 | prefix string |
| 1066 | wantPrefix string |
| 1067 | wantLocation string |
| 1068 | }{ |
| 1069 | { |
| 1070 | name: "no-leading-slash", |
| 1071 | prefix: "javascript:alert(1)", |
| 1072 | wantPrefix: "/javascript:alert(1)", |
| 1073 | wantLocation: "/javascript:alert(1)/", |
| 1074 | }, |
| 1075 | { |
| 1076 | name: "2-slashes", |
| 1077 | prefix: "//evil.example.com/goat", |
| 1078 | // We must also get the trailing slash added: |
| 1079 | wantPrefix: "/evil.example.com/goat", |
| 1080 | wantLocation: "/evil.example.com/goat/", |
| 1081 | }, |
| 1082 | { |
| 1083 | name: "absolute-url", |
| 1084 | prefix: "http://evil.example.com", |
| 1085 | // We must also get the trailing slash added: |
| 1086 | wantPrefix: "/http:/evil.example.com", |
| 1087 | wantLocation: "/http:/evil.example.com/", |
| 1088 | }, |
| 1089 | { |
| 1090 | name: "double-dot", |
| 1091 | prefix: "/../.././etc/passwd", |
| 1092 | // We must also get the trailing slash added: |
| 1093 | wantPrefix: "/etc/passwd", |
| 1094 | wantLocation: "/etc/passwd/", |
| 1095 | }, |
| 1096 | } |
| 1097 | |
| 1098 | for _, tt := range tests { |
| 1099 | t.Run(tt.name, func(t *testing.T) { |
| 1100 | options := ServerOpts{ |
| 1101 | Mode: LoginServerMode, |
| 1102 | PathPrefix: tt.prefix, |
| 1103 | CGIMode: true, |
| 1104 | } |
| 1105 | s, err := NewServer(options) |
| 1106 | if err != nil { |
| 1107 | t.Error(err) |
| 1108 | } |
| 1109 | |
| 1110 | // verify provided prefix was normalized correctly |
| 1111 | if s.pathPrefix != tt.wantPrefix { |
| 1112 | t.Errorf("prefix was not normalized correctly; want=%q, got=%q", tt.wantPrefix, s.pathPrefix) |
| 1113 | } |
| 1114 | |
| 1115 | s.logf = t.Logf |
| 1116 | r := httptest.NewRequest(httpm.GET, "http://localhost/", nil) |
| 1117 | w := httptest.NewRecorder() |
| 1118 | s.ServeHTTP(w, r) |
| 1119 | res := w.Result() |
nothing calls this directly
no test coverage detected
searching dependent graphs…