Test_Static_PathTraversal_WindowsOnly() — fiber Function Reference

Source Code

middleware/static/static_test.go lines 1053–1135

func Test_Static_PathTraversal_WindowsOnly(t *testing.T) {
	// Skip this test if not running on Windows
	if runtime.GOOS != winOS {
		t.Skip("Skipping Windows-specific tests")
	}

	t.Parallel()
	app := fiber.New()

	// Serve only from testCSSDir
	rootDir := testCSSDir
	app.Get("/*", New(rootDir))

	// A valid request (relative path without backslash):
	validReq := httptest.NewRequest(fiber.MethodGet, "/style.css", http.NoBody)
	validResp, err := app.Test(validReq)
	require.NoError(t, err, "app.Test(req)")
	require.Equal(t, 200, validResp.StatusCode, "Status code for valid file on Windows")
	body, err := io.ReadAll(validResp.Body)
	require.NoError(t, err, "app.Test(req)")
	require.Contains(t, string(body), "color")

	// Helper to test blocked responses
	assertTraversalBlocked := func(path string) {
		req := httptest.NewRequest(fiber.MethodGet, path, http.NoBody)
		resp, err := app.Test(req)
		require.NoError(t, err, "app.Test(req)")

		// We expect a blocked request to return either 400 or 404
		status := resp.StatusCode
		require.Containsf(t, []int{400, 404}, status,
			"Status code for path traversal %s should be 400 or 404, got %d", path, status)

		// If it's a 404, we expect a "Not Found" message
		if status == 404 {
			respBody, err := io.ReadAll(resp.Body)
			require.NoError(t, err)
			require.Contains(t, string(respBody), "Not Found",
				"Blocked traversal should have a \"Not Found\" message for %s", path)
		} else {
			require.Contains(t, string(body), "Are you a hacker?",
				"Blocked traversal should have a \"Not Found\" message for %s", path)
		}
	}

	// Windows-specific traversal attempts
	// Backslashes are treated as directory separators on Windows.
	assertTraversalBlocked("/..\\index.html")
	assertTraversalBlocked("/..\\..\\index.html")
	assertTraversalBlocked("/..\\..\\..\\Windows\\win.ini")
	assertTraversalBlocked("/..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts")
	assertTraversalBlocked("/%5C..%5C..%5CWindows%5Cwin.ini")
	assertTraversalBlocked("/%255C..%255C..%255CWindows%255Cwin.ini")
	assertTraversalBlocked("/%5c..%5c..%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts")
	assertTraversalBlocked("/C:\\Windows\\System32\\cmd.exe")
	assertTraversalBlocked("/C:%5CWindows%5CSystem32%5Ccmd.exe")
	assertTraversalBlocked("/%43:%5CWindows%5CSystem32%5Ccmd.exe")
	assertTraversalBlocked("/%5c%5cserver%5cshare%5csecret.txt")
	assertTraversalBlocked("//server\\share\\secret.txt")
	assertTraversalBlocked("//server/share/secret.txt")
	assertTraversalBlocked("/%2F%2Fserver%2Fshare%2Fsecret.txt")

	// Attempt with a path that might try to reference Windows drives or absolute paths
	// Note: These are artificial tests to ensure no drive-letter escapes are allowed.
	assertTraversalBlocked("/C:\\Windows\\System32\\cmd.exe")
	assertTraversalBlocked("/C:/Windows/System32/cmd.exe")

	// Attempt with UNC-like paths (though unlikely in a web context, good to test)
	assertTraversalBlocked("//server\\share\\secret.txt")

	// Attempt using a mixture of forward and backward slashes
	assertTraversalBlocked("/..\\..\\/index.html")

	// Attempt that includes a null-byte on Windows
	assertTraversalBlocked("/index.html%00.txt")

	// Check behavior on an obviously nonexistent and suspicious file
	assertTraversalBlocked("/\\this\\path\\does\\not\\exist\\..")

	// Attempts involving relative traversal and current directory reference
	assertTraversalBlocked("/.\\../index.html")