Fixed tests

Forceu · Forceu · commit ffd41e4a80b1 · 2026-05-09T19:22:40.000+02:00
diff --git a/internal/helper/StringGeneration_test.go b/internal/helper/StringGeneration_test.go
@@ -149,12 +149,12 @@ func TestSanitiseFilename(t *testing.T) {
 		{
 			name:  "unix path traversal",
 			input: "../../etc/passwd",
-			want:  "_.._etc/passwd",
+			want:  "_.._etc_passwd",
 		},
 		{
 			name:  "absolute unix path",
 			input: "/etc/shadow",
-			want:  "_etc_shadiw_shadow",
+			want:  "_etc_shadow",
 		},
 		{
 			name:  "deep traversal",
@@ -288,7 +288,7 @@ func TestSanitiseFilename(t *testing.T) {
 		{
 			name:  "only forbidden chars falls back",
 			input: `\/:*?"<>|`,
-			want:  "_______",
+			want:  "_________",
 		},
 		{
 			name:  "only control chars falls back",
diff --git a/internal/storage/FileServing_test.go b/internal/storage/FileServing_test.go
@@ -960,7 +960,7 @@ func TestServeFilesAsZipSanitisation(t *testing.T) {
 	w := httptest.NewRecorder()
 	ServeFilesAsZip([]models.File{}, "../../etc/evil", w, r)
 	cd := w.Result().Header.Get("Content-Disposition")
-	test.IsEqualBool(t, strings.Contains(cd, ".."), false)
+	test.IsEqualBool(t, strings.HasPrefix(cd, ".."), false)
 	test.IsEqualBool(t, strings.Contains(cd, "/"), false)
 	// The header must still be a valid attachment directive.
 	test.IsEqualBool(t, strings.HasPrefix(cd, "attachment;"), true)
@@ -972,7 +972,7 @@ func TestServeFilesAsZipSanitisation(t *testing.T) {
 	cd = w.Result().Header.Get("Content-Disposition")
 	test.IsEqualBool(t, strings.Contains(cd, "\r"), false)
 	test.IsEqualBool(t, strings.Contains(cd, "\n"), false)
-	test.IsEqualBool(t, strings.Contains(cd, "X-Evil"), false)
+	test.IsEqualString(t, r.Header.Get("X-Evil"), "")
 
 	// Null byte in filename must be stripped.
 	w = httptest.NewRecorder()
diff --git a/internal/storage/chunking/Chunking_test.go b/internal/storage/chunking/Chunking_test.go
@@ -375,7 +375,7 @@ func TestParseFileHeaderSanitisation(t *testing.T) {
 		strings.NewReader(data.Encode()))
 	header, err := ParseFileHeader(r)
 	test.IsNil(t, err)
-	test.IsEqualBool(t, strings.Contains(header.Filename, ".."), false)
+	test.IsEqualBool(t, strings.HasPrefix(header.Filename, ".."), false)
 	test.IsEqualBool(t, strings.Contains(header.Filename, "/"), false)
 
 	// CRLF in filename must be stripped so it cannot inject HTTP headers.
@@ -387,7 +387,7 @@ func TestParseFileHeaderSanitisation(t *testing.T) {
 	test.IsNil(t, err)
 	test.IsEqualBool(t, strings.Contains(header.Filename, "\r"), false)
 	test.IsEqualBool(t, strings.Contains(header.Filename, "\n"), false)
-	test.IsEqualBool(t, strings.Contains(header.Filename, "X-Evil"), false)
+	test.IsEqualString(t, r.Header.Get("X-Evil"), "")
 
 	// Null byte in filename must be stripped.
 	data.Set("filename", "file\x00.txt")
@@ -409,7 +409,7 @@ func TestParseFileHeaderSanitisation(t *testing.T) {
 	test.IsNil(t, err)
 	test.IsEqualBool(t, strings.Contains(header.ContentType, "\r"), false)
 	test.IsEqualBool(t, strings.Contains(header.ContentType, "\n"), false)
-	test.IsEqualBool(t, strings.Contains(header.ContentType, "X-Injected"), false)
+	test.IsEqualString(t, r.Header.Get("X-Injected"), "")
 }
 
 func TestParseMultipartHeaderSanitisation(t *testing.T) {
@@ -423,7 +423,7 @@ func TestParseMultipartHeaderSanitisation(t *testing.T) {
 	}
 	header, err := ParseMultipartHeader(&traversalHeader)
 	test.IsNil(t, err)
-	test.IsEqualBool(t, strings.Contains(header.Filename, ".."), false)
+	test.IsEqualBool(t, strings.HasPrefix(header.Filename, ".."), false)
 	test.IsEqualBool(t, strings.Contains(header.Filename, "/"), false)
 
 	// CRLF in filename must be stripped.
@@ -438,7 +438,6 @@ func TestParseMultipartHeaderSanitisation(t *testing.T) {
 	test.IsNil(t, err)
 	test.IsEqualBool(t, strings.Contains(header.Filename, "\r"), false)
 	test.IsEqualBool(t, strings.Contains(header.Filename, "\n"), false)
-	test.IsEqualBool(t, strings.Contains(header.Filename, "Set-Cookie"), false)
 
 	// Content-Type with CRLF injection must be sanitised.
 	// This covers the missing SanitiseContentType call in ParseMultipartHeader.
@@ -453,7 +452,6 @@ func TestParseMultipartHeaderSanitisation(t *testing.T) {
 	test.IsNil(t, err)
 	test.IsEqualBool(t, strings.Contains(header.ContentType, "\r"), false)
 	test.IsEqualBool(t, strings.Contains(header.ContentType, "\n"), false)
-	test.IsEqualBool(t, strings.Contains(header.ContentType, "X-Injected"), false)
 
 	// Null byte in Content-Type must be stripped.
 	mimeHeader = make(textproto.MIMEHeader)
diff --git a/internal/webserver/api/Api_test.go b/internal/webserver/api/Api_test.go
@@ -1761,7 +1761,7 @@ func TestChunkCompleteSanitisation(t *testing.T) {
 
 			// The stored filename must not contain any dangerous sequences.
 			storedName := result.FileInfo.Name
-			test.IsEqualBool(t, strings.Contains(storedName, ".."), false)
+			test.IsEqualBool(t, strings.HasPrefix(storedName, ".."), false)
 			test.IsEqualBool(t, strings.Contains(storedName, "\r"), false)
 			test.IsEqualBool(t, strings.Contains(storedName, "\n"), false)
 			test.IsEqualBool(t, strings.Contains(storedName, "\x00"), false)
@@ -1785,12 +1785,11 @@ func TestChunkUploadRequestCompleteSanitisation(t *testing.T) {
 	err := p.ProcessParameter(nil)
 	test.IsNil(t, err)
 
-	test.IsEqualBool(t, strings.Contains(p.FileName, ".."), false)
+	test.IsEqualBool(t, strings.HasPrefix(p.FileName, ".."), false)
 	test.IsEqualBool(t, strings.Contains(p.FileName, "\r"), false)
 	test.IsEqualBool(t, strings.Contains(p.FileName, "\n"), false)
 	test.IsEqualBool(t, strings.Contains(p.ContentType, "\r"), false)
 	test.IsEqualBool(t, strings.Contains(p.ContentType, "\n"), false)
-	test.IsEqualBool(t, strings.Contains(p.ContentType, "X-Evil"), false)
 	// Sanitised values must propagate into FileHeader.
 	test.IsEqualString(t, p.FileHeader.Filename, p.FileName)
 	test.IsEqualString(t, p.FileHeader.ContentType, p.ContentType)
@@ -1813,7 +1812,7 @@ func TestFilesDuplicateSanitisation(t *testing.T) {
 	var output models.FileApiOutput
 	err := json.Unmarshal(w.Body.Bytes(), &output)
 	test.IsNil(t, err)
-	test.IsEqualBool(t, strings.Contains(output.Name, ".."), false)
+	test.IsEqualBool(t, strings.HasPrefix(output.Name, ".."), false)
 	test.IsEqualBool(t, strings.Contains(output.Name, "/"), false)
 
 	// CRLF in the duplicate filename must be stripped.
@@ -1827,7 +1826,6 @@ func TestFilesDuplicateSanitisation(t *testing.T) {
 	test.IsNil(t, err)
 	test.IsEqualBool(t, strings.Contains(output.Name, "\r"), false)
 	test.IsEqualBool(t, strings.Contains(output.Name, "\n"), false)
-	test.IsEqualBool(t, strings.Contains(output.Name, "X-Evil"), false)
 }
 
 func TestChunkCompleteSanitisationUnit(t *testing.T) {
@@ -1845,7 +1843,7 @@ func TestChunkCompleteSanitisationUnit(t *testing.T) {
 
 	// The FileHeader must receive the sanitised filename, not the raw one.
 	test.IsEqualString(t, p.FileHeader.Filename, p.FileName)
-	test.IsEqualBool(t, strings.Contains(p.FileHeader.Filename, ".."), false)
+	test.IsEqualBool(t, strings.HasPrefix(p.FileHeader.Filename, ".."), false)
 	test.IsEqualBool(t, strings.Contains(p.FileHeader.Filename, "\r"), false)
 	test.IsEqualBool(t, strings.Contains(p.FileHeader.Filename, "\n"), false)
 }

Original file line number	Diff line number	Diff line change
`@@ -149,12 +149,12 @@ func TestSanitiseFilename(t *testing.T) {`
`149`	`149`	`{`
`150`	`150`	`name: "unix path traversal",`
`151`	`151`	`input: "../../etc/passwd",`
`152`		`- want: "_.._etc/passwd",`
	`152`	`+ want: "_.._etc_passwd",`
`153`	`153`	`},`
`154`	`154`	`{`
`155`	`155`	`name: "absolute unix path",`
`156`	`156`	`input: "/etc/shadow",`
`157`		`- want: "_etc_shadiw_shadow",`
	`157`	`+ want: "_etc_shadow",`
`158`	`158`	`},`
`159`	`159`	`{`
`160`	`160`	`name: "deep traversal",`
`@@ -288,7 +288,7 @@ func TestSanitiseFilename(t *testing.T) {`
`288`	`288`	`{`
`289`	`289`	`name: "only forbidden chars falls back",`
`290`	`290`	input: `\/:*?"<>\|`,
`291`		`- want: "_______",`
	`291`	`+ want: "_________",`
`292`	`292`	`},`
`293`	`293`	`{`
`294`	`294`	`name: "only control chars falls back",`