From 01c8df01ec0608f1f25b2f1444adabb98fa5ee8a Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Thu, 24 Oct 2019 01:51:46 -0700
Subject: internal: move packages under this directory (#5836)

* Rename pkg -> internal

* Rename routes -> route

* Move route -> internal/route

* Rename models -> db

* Move db -> internal/db

* Fix route2 -> route

* Move cmd -> internal/cmd

* Bump version
---
 internal/tool/path_test.go | 53 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 internal/tool/path_test.go

(limited to 'internal/tool/path_test.go')

diff --git a/internal/tool/path_test.go b/internal/tool/path_test.go
new file mode 100644
index 00000000..44ee975f
--- /dev/null
+++ b/internal/tool/path_test.go
@@ -0,0 +1,53 @@
+// Copyright 2018 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package tool
+
+import (
+	"testing"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func Test_IsSameSiteURLPath(t *testing.T) {
+	Convey("Check if a path belongs to the same site", t, func() {
+		testCases := []struct {
+			url    string
+			expect bool
+		}{
+			{"//github.com", false},
+			{"http://github.com", false},
+			{"https://github.com", false},
+			{"/\\github.com", false},
+
+			{"/admin", true},
+			{"/user/repo", true},
+		}
+
+		for _, tc := range testCases {
+			So(IsSameSiteURLPath(tc.url), ShouldEqual, tc.expect)
+		}
+	})
+}
+
+func Test_IsMaliciousPath(t *testing.T) {
+	Convey("Detects malicious path", t, func() {
+		testCases := []struct {
+			path   string
+			expect bool
+		}{
+			{"../../../../../../../../../data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8", true},
+			{"..\\/..\\/../data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8", true},
+			{"data/gogs/../../../../../../../../../data/sessions/a/9/a9f0ab6c3ef63dd8", true},
+			{"..\\..\\..\\..\\..\\..\\..\\..\\..\\data\\gogs\\data\\sessions\\a\\9\\a9f0ab6c3ef63dd8", true},
+			{"data\\gogs\\..\\..\\..\\..\\..\\..\\..\\..\\..\\data\\sessions\\a\\9\\a9f0ab6c3ef63dd8", true},
+
+			{"data/sessions/a/9/a9f0ab6c3ef63dd8", false},
+			{"data\\sessions\\a\\9\\a9f0ab6c3ef63dd8", false},
+		}
+		for _, tc := range testCases {
+			So(IsMaliciousPath(tc.path), ShouldEqual, tc.expect)
+		}
+	})
+}
-- 
cgit v1.2.3