Added testing to cover work done in last commit

Relevant to comments in 7224fbcc89.
Added test cases. Ensured they failed pre-commit.
Also tested a range of the altered endpoints manually on both local and
s3-like filesystems.
This commit is contained in:
Dan Brown 2021-10-08 21:47:59 +01:00
parent 7224fbcc89
commit 41541df6ec
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9

View file

@ -229,6 +229,34 @@ class ExportTest extends TestCase
$resp->assertSee('src="/uploads/svg_test.svg"');
}
public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local()
{
$contents = file_get_contents(public_path('.htaccess'));
config()->set('filesystems.images', 'local');
$page = Page::query()->first();
$page->html = '<img src="http://localhost/uploads/images/../../.htaccess"/>';
$page->save();
$resp = $this->asEditor()->get($page->getUrl('/export/html'));
$resp->assertDontSee(base64_encode($contents));
}
public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local_secure()
{
$testFilePath = storage_path('logs/test.txt');
config()->set('filesystems.images', 'local_secure');
file_put_contents($testFilePath, 'I am a cat');
$page = Page::query()->first();
$page->html = '<img src="http://localhost/uploads/images/../../logs/test.txt"/>';
$page->save();
$resp = $this->asEditor()->get($page->getUrl('/export/html'));
$resp->assertDontSee(base64_encode('I am a cat'));
unlink($testFilePath);
}
public function test_exports_removes_scripts_from_custom_head()
{
$entities = [