TestValidateGitSubDirSecurityScenarios tests specific security scenarios
(t *testing.T)
| 150 | |
| 151 | // TestValidateGitSubDirSecurityScenarios tests specific security scenarios |
| 152 | func TestValidateGitSubDirSecurityScenarios(t *testing.T) { |
| 153 | base := "/var/cache/docker-compose/git/1234567890abcdef" |
| 154 | |
| 155 | // Test the exact vulnerability scenario from the issue |
| 156 | t.Run("CVE scenario - /tmp traversal", func(t *testing.T) { |
| 157 | maliciousPath := "../../../../../../../tmp/pwned" |
| 158 | err := validateGitSubDir(base, maliciousPath) |
| 159 | assert.ErrorContains(t, err, "path traversal") |
| 160 | }) |
| 161 | |
| 162 | // Test variations of the attack |
| 163 | t.Run("CVE scenario - /etc traversal", func(t *testing.T) { |
| 164 | maliciousPath := "../../../../../../../../etc/passwd" |
| 165 | err := validateGitSubDir(base, maliciousPath) |
| 166 | assert.ErrorContains(t, err, "path traversal") |
| 167 | }) |
| 168 | |
| 169 | // Test that legitimate nested paths still work |
| 170 | t.Run("legitimate nested path", func(t *testing.T) { |
| 171 | validPath := "examples/docker-compose/nginx/config" |
| 172 | err := validateGitSubDir(base, validPath) |
| 173 | assert.NilError(t, err) |
| 174 | }) |
| 175 | } |
nothing calls this directly
no test coverage detected