akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
5dfd546b42236e36d3a285cbf5ec9d70125126fd
Charon/backend/internal/api/handlers/backup_handler_sanitize_test.go
GitHub Actions 63cebf07ab Refactor services and improve error handling 
- Updated file permissions in certificate_service_test.go and log_service_test.go to use octal notation.
- Added a new doc.go file to document the services package.
- Enhanced error handling in docker_service.go, log_service.go, notification_service.go, proxyhost_service.go, remoteserver_service.go, update_service.go, and uptime_service.go by logging errors when closing resources.
- Improved log_service.go to simplify log file processing and deduplication.
- Introduced CRUD tests for notification templates in notification_service_template_test.go.
- Removed the obsolete python_compile_check.sh script.
- Updated notification_service.go to improve template management functions.
- Added tests for uptime service notifications in uptime_service_notification_test.go.
2025-12-08 05:55:17 +00:00

66 lines
2.1 KiB
Go
Raw Blame History

package handlers
import (
"bytes"
"net/http"
"net/http/httptest"
"os"
"path/filepath"
"regexp"
"strings"
"testing"
"github.com/Wikid82/charon/backend/internal/logger"
"github.com/Wikid82/charon/backend/internal/services"
"github.com/gin-gonic/gin"
)
func TestBackupHandlerSanitizesFilename(t *testing.T) {
gin.SetMode(gin.TestMode)
tmpDir := t.TempDir()
// prepare a fake "database"
dbPath := filepath.Join(tmpDir, "db.sqlite")
if err := os.WriteFile(dbPath, []byte("db"), 0o644); err != nil {
t.Fatalf("failed to create tmp db: %v", err)
}
svc := &services.BackupService{DataDir: tmpDir, BackupDir: tmpDir, DatabaseName: "db.sqlite", Cron: nil}
h := NewBackupHandler(svc)
// Create a gin test context and use it to call handler directly
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
// Ensure request-scoped logger is present and writes to our buffer
c.Set("logger", logger.WithFields(map[string]interface{}{"test": "1"}))
// initialize logger to buffer
buf := &bytes.Buffer{}
logger.Init(true, buf)
// Create a malicious filename with newline and path components
malicious := "../evil\nname"
c.Request = httptest.NewRequest(http.MethodGet, "/backups/"+strings.ReplaceAll(malicious, "\n", "%0A")+"/restore", http.NoBody)
// Call handler directly with the test context
h.Restore(c)
out := buf.String()
// Optionally we could assert on the response status code here if needed
textRegex := regexp.MustCompile(`filename=?"?([^"\s]*)"?`)
jsonRegex := regexp.MustCompile(`"filename":"([^"]*)"`)
var loggedFilename string
if m := textRegex.FindStringSubmatch(out); len(m) == 2 {
loggedFilename = m[1]
} else if m := jsonRegex.FindStringSubmatch(out); len(m) == 2 {
loggedFilename = m[1]
} else {
t.Fatalf("could not extract filename from logs: %s", out)
}
if strings.Contains(loggedFilename, "\n") || strings.Contains(loggedFilename, "\r") {
t.Fatalf("log filename contained raw newline: %q", loggedFilename)
}
if strings.Contains(loggedFilename, "..") {
t.Fatalf("log filename contained path traversals in filename: %q", loggedFilename)
}
}
Reference in New Issue View Git Blame Copy Permalink