From 20d49edf3d411b871352aaef31dc3bfc963a976f Mon Sep 17 00:00:00 2001
From: simon lehericey <mail@simon.lehericey.net>
Date: Mon, 3 Jul 2023 17:37:00 +0200
Subject: [PATCH] test: traversal attack

---
 .../fixtures/server-static/uploads/out_of_jail.txt |  1 +
 tests/helpers/curl.rs                              |  1 +
 tests/traversal_attack.rs                          | 14 ++++++++++++++
 3 files changed, 16 insertions(+)
 create mode 100644 tests/fixtures/server-static/uploads/out_of_jail.txt
 create mode 100644 tests/traversal_attack.rs

diff --git a/tests/fixtures/server-static/uploads/out_of_jail.txt b/tests/fixtures/server-static/uploads/out_of_jail.txt
new file mode 100644
index 0000000..9dae856
--- /dev/null
+++ b/tests/fixtures/server-static/uploads/out_of_jail.txt
@@ -0,0 +1 @@
+fail
diff --git a/tests/helpers/curl.rs b/tests/helpers/curl.rs
index 1d9c583..78827a1 100644
--- a/tests/helpers/curl.rs
+++ b/tests/helpers/curl.rs
@@ -5,6 +5,7 @@ pub fn curl_get_status(url: &str) -> String {
     let stdout = Command::new("curl")
         .arg("-XGET")
         .arg(url)
+        .arg("--path-as-is")
         .arg("-o")
         .arg("/dev/null")
         .arg("-s")
diff --git a/tests/traversal_attack.rs b/tests/traversal_attack.rs
new file mode 100644
index 0000000..10ccf78
--- /dev/null
+++ b/tests/traversal_attack.rs
@@ -0,0 +1,14 @@
+use serial_test::serial;
+
+mod helpers;
+pub use helpers::*;
+
+#[test]
+#[serial(servers)]
+fn traversal_attack_is_avoided() {
+    let _proxy_and_node = ProxyAndNode::start();
+
+    let curl_download = curl_get_status("localhost:4444/upstream/../../out_of_jail.txt");
+    println!("curl_download: {:?}", curl_download);
+    assert_eq!(curl_download, "404");
+}