Test_Static_PathTraversal() — fiber Function Reference

Architecture documentation for the Test_Static_PathTraversal() function in static_test.go from the fiber codebase.

Function go FiberCore Adapters

Entity Profile

FiberCore→ Adapters→ Test_Static_PathTraversal() — fiber Function Reference

Dependency Diagram

graph TD
  547f6cec_af77_2e75_2eed_180f4659b652["Test_Static_PathTraversal()"]
  f26a2d79_1e01_f027_82eb_45c4308747e8["static_test.go"]
  547f6cec_af77_2e75_2eed_180f4659b652 -->|defined in| f26a2d79_1e01_f027_82eb_45c4308747e8
  style 547f6cec_af77_2e75_2eed_180f4659b652 fill:#6366f1,stroke:#818cf8,color:#fff

Relationship Graph

Source Code

middleware/static/static_test.go lines 925–1051

func Test_Static_PathTraversal(t *testing.T) {
	// Skip this test if running on Windows
	if runtime.GOOS == winOS {
		t.Skip("Skipping Windows-specific tests")
	}

	t.Parallel()
	app := fiber.New()

	// Serve only from testCSSDir
	// This directory should contain `style.css` but not `index.html` or anything above it.
	rootDir := testCSSDir
	app.Get("/*", New(rootDir))

	// A valid request: should succeed
	validReq := httptest.NewRequest(fiber.MethodGet, "/style.css", http.NoBody)
	validResp, err := app.Test(validReq)
	require.NoError(t, err, "app.Test(req)")
	require.Equal(t, 200, validResp.StatusCode, "Status code")
	require.Equal(t, fiber.MIMETextCSSCharsetUTF8, validResp.Header.Get(fiber.HeaderContentType))
	validBody, err := io.ReadAll(validResp.Body)
	require.NoError(t, err, "app.Test(req)")
	require.Contains(t, string(validBody), "color")

	// Helper function to assert that a given path is blocked.
	// Blocked can mean different status codes depending on what triggered the block.
	// We'll accept 400 or 404 as "blocked" statuses:
	// - 404 is the expected blocked response in most cases.
	// - 400 might occur if fasthttp rejects the request before it's even processed (e.g., null bytes).
	assertTraversalBlocked := func(path string) {
		req := httptest.NewRequest(fiber.MethodGet, path, http.NoBody)
		resp, err := app.Test(req)
		require.NoError(t, err, "app.Test(req)")

		status := resp.StatusCode
		require.Truef(t, status == 400 || status == 404,
			"Status code for path traversal %s should be 400 or 404, got %d", path, status)

		body, err := io.ReadAll(resp.Body)
		require.NoError(t, err)

		// If we got a 404, we expect the "Not Found" message because that's how fiber handles NotFound by default.
		if status == 404 {
			require.Contains(t, string(body), "Not Found",
				"Blocked traversal should have a \"Not Found\" message for %s", path)
		} else {
			require.Contains(t, string(body), "Are you a hacker?",
				"Blocked traversal should have a \"Not Found\" message for %s", path)
		}
	}

	// Basic attempts to escape the directory
	assertTraversalBlocked("/index.html..")
	assertTraversalBlocked("/style.css..")
	assertTraversalBlocked("/../index.html")
	assertTraversalBlocked("/../../index.html")
	assertTraversalBlocked("/../../../index.html")

	// Attempts with double slashes
	assertTraversalBlocked("//../index.html")
	assertTraversalBlocked("/..//index.html")

	// Encoded attempts: `%2e` is '.' and `%2f` is '/'
	assertTraversalBlocked("/..%2findex.html")        // ../index.html
	assertTraversalBlocked("/%2e%2e/index.html")      // ../index.html
	assertTraversalBlocked("/%2e%2e%2f%2e%2e/secret") // ../../../secret

	// Mixed encoded and normal attempts
	assertTraversalBlocked("/%2e%2e/../index.html")  // ../../index.html
	assertTraversalBlocked("/..%2f..%2fsecret.json") // ../../../secret.json

	// Attempts with current directory references
	assertTraversalBlocked("/./../index.html")
	assertTraversalBlocked("/././../index.html")

	// Trailing slashes
	assertTraversalBlocked("/../")
	assertTraversalBlocked("/../../")

	// Attempts to load files from an absolute path outside the root
	assertTraversalBlocked("/" + rootDir + "/../../index.html")