Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test: fix defect path traversal tests #50124

Merged
merged 1 commit into from
Oct 16, 2023

Conversation

tniessen
Copy link
Member

The test never actually tested what it claims to test because it did not properly insert separators before ...

@tniessen tniessen added permission Issues and PRs related to the Permission Model test Issues and PRs related to the tests. security Issues and PRs related to security. labels Oct 10, 2023
@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label Oct 10, 2023
@tniessen tniessen added the request-ci Add this label to start a Jenkins CI on a PR. label Oct 10, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Oct 10, 2023
@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

This comment was marked as outdated.

@tniessen tniessen added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Oct 11, 2023
@nodejs-github-bot
Copy link
Collaborator

Trott
Trott previously approved these changes Oct 11, 2023
@Trott Trott dismissed their stale review October 11, 2023 15:40

Actually, I'm not 100% sure I understand the motivation of the change and would rather wait for Rafael to weigh in

@tniessen
Copy link
Member Author

I'm not 100% sure I understand the motivation of the change

The existing test seems to assume that

const allowedFolder = tmpdir.resolve('subdirectory/');

keeps the trailing /, however, tmpdir.resolve() simply uses path.resolve() internally, which discards trailing separators, so allowedFolder ends with subdirectory, not subdirectory/.

The other JavaScript file then constructs paths as follows:

const traversalPath = allowedFolder + '../file.md';

Therefore, traversalPath ends with subdirectory../file.md, which is not a path traversal scenario. Adding a separator in front of .. solves this and should lead to an actual attempt at path traversal (i.e., subdirectory/../file.md).

The test never actually tested what it claims to test because it did not
properly insert separators before `..`.
@tniessen
Copy link
Member Author

Rebased due to a conflict with f447a46.

@tniessen tniessen requested review from RafaelGSS and removed request for RafaelGSS October 15, 2023 13:42
@RafaelGSS RafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Oct 15, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Oct 15, 2023
@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot
Copy link
Collaborator

@tniessen tniessen added the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 16, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 16, 2023
@nodejs-github-bot nodejs-github-bot merged commit 0c56962 into nodejs:main Oct 16, 2023
53 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in 0c56962

kumarrishav pushed a commit to kumarrishav/node that referenced this pull request Oct 16, 2023
The test never actually tested what it claims to test because it did not
properly insert separators before `..`.

PR-URL: nodejs#50124
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
targos pushed a commit that referenced this pull request Oct 23, 2023
The test never actually tested what it claims to test because it did not
properly insert separators before `..`.

PR-URL: #50124
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
alexfernandez pushed a commit to alexfernandez/node that referenced this pull request Nov 1, 2023
The test never actually tested what it claims to test because it did not
properly insert separators before `..`.

PR-URL: nodejs#50124
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
targos pushed a commit that referenced this pull request Nov 11, 2023
The test never actually tested what it claims to test because it did not
properly insert separators before `..`.

PR-URL: #50124
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. needs-ci PRs that need a full CI run. permission Issues and PRs related to the Permission Model security Issues and PRs related to security. test Issues and PRs related to the tests.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants