Add failing tests for input dimension and path traversal validation

Tests for: - ErrInputTooLarge when input image exceeds MaxInputDimension - ErrPathTraversal for ../, encoded traversal, backslashes, null bytes
2026-01-08 08:48:11 -08:00
parent 857be30e82
commit c964feac7e
4 changed files with 168 additions and 0 deletions
--- a/internal/imgcache/urlparser_test.go
+++ b/internal/imgcache/urlparser_test.go
@@ -247,6 +247,94 @@ func TestParsedURL_ToImageRequest(t *testing.T) {
 	}
 }

+func TestParseImageURL_PathTraversal(t *testing.T) {
+	// All path traversal attempts should be rejected
+	tests := []struct {
+		name  string
+		input string
+	}{
+		{
+			name:  "simple parent directory",
+			input: "/v1/image/cdn.example.com/../etc/passwd/800x600.jpeg",
+		},
+		{
+			name:  "double parent directory",
+			input: "/v1/image/cdn.example.com/../../etc/passwd/800x600.jpeg",
+		},
+		{
+			name:  "parent in middle of path",
+			input: "/v1/image/cdn.example.com/photos/../../../etc/passwd/800x600.jpeg",
+		},
+		{
+			name:  "encoded parent directory",
+			input: "/v1/image/cdn.example.com/photos/%2e%2e/secret/800x600.jpeg",
+		},
+		{
+			name:  "double encoded parent",
+			input: "/v1/image/cdn.example.com/photos/%252e%252e/secret/800x600.jpeg",
+		},
+		{
+			name:  "backslash traversal",
+			input: "/v1/image/cdn.example.com/photos/..\\secret/800x600.jpeg",
+		},
+		{
+			name:  "mixed slashes",
+			input: "/v1/image/cdn.example.com/photos/../\\../secret/800x600.jpeg",
+		},
+		{
+			name:  "null byte injection",
+			input: "/v1/image/cdn.example.com/photos/image.jpg%00.png/800x600.jpeg",
+		},
+		{
+			name:  "parent at start of path",
+			input: "/v1/image/cdn.example.com/../800x600.jpeg",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := ParseImageURL(tt.input)
+			if err == nil {
+				t.Error("ParseImageURL() should reject path traversal attempts")
+			}
+
+			if err != ErrPathTraversal {
+				t.Errorf("ParseImageURL() error = %v, want ErrPathTraversal", err)
+			}
+		})
+	}
+}
+
+func TestParseImagePath_PathTraversal(t *testing.T) {
+	// Test path traversal via ParseImagePath (chi wildcard)
+	tests := []struct {
+		name  string
+		input string
+	}{
+		{
+			name:  "parent directory in path",
+			input: "cdn.example.com/photos/../secret/800x600.jpeg",
+		},
+		{
+			name:  "encoded traversal",
+			input: "cdn.example.com/photos/%2e%2e/secret/800x600.jpeg",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := ParseImagePath(tt.input)
+			if err == nil {
+				t.Error("ParseImagePath() should reject path traversal attempts")
+			}
+
+			if err != ErrPathTraversal {
+				t.Errorf("ParseImagePath() error = %v, want ErrPathTraversal", err)
+			}
+		})
+	}
+}
+
 // errorIs checks if err matches target (handles wrapped errors).
 func errorIs(err, target error) bool {
 	if err == target {