This is an automated email from the ASF dual-hosted git repository. littlecui pushed a commit to branch test in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git
commit d04b9c94a65ecc058892d020be47aebceb889df8 Author: little-cui <[email protected]> AuthorDate: Sat Dec 19 07:38:50 2020 +0800 SCB-2094 Fix Security Vulnerability - Directory Traversal --- frontend/server_test.go | 44 +++++++++++++++++++++++++++++--------------- go.mod | 3 +-- 2 files changed, 30 insertions(+), 17 deletions(-) diff --git a/frontend/server_test.go b/frontend/server_test.go index 6ed0db2..83635db 100644 --- a/frontend/server_test.go +++ b/frontend/server_test.go @@ -17,12 +17,13 @@ package main import ( + "github.com/stretchr/testify/assert" "io/ioutil" "net/http" "sync" "testing" - "github.com/labstack/echo" + "github.com/labstack/echo/v4" ) const ( @@ -46,13 +47,9 @@ func TestStatic(t *testing.T) { wg.Wait() res, err := http.Get("http://"; + FrontAddr) - if err != nil { - t.Errorf("Error accessing frontend: %s", err) - } - if res.StatusCode != http.StatusOK { - t.Errorf("Expected http %d, got %d", http.StatusOK, res.StatusCode) - } - + assert.NoError(t, err, "Error accessing frontend: %s", err) + assert.Equal(t, http.StatusOK, res.StatusCode, "Expected http %d, got %d", http.StatusOK, res.StatusCode) + _ = res.Body.Close() } func TestSCProxy(t *testing.T) { @@ -68,17 +65,14 @@ func TestSCProxy(t *testing.T) { return c.String(http.StatusOK, greeting) }) wg.Done() - e.Start(SCAddr) + _ = e.Start(SCAddr) }() wg.Wait() res, err := http.Get("http://"; + FrontAddr + "/sc/sayHi") - if err != nil { - t.Errorf("Error accessing sc proxy: %s", err) - } - if res.StatusCode != http.StatusOK { - t.Errorf("Expected http %d, got %d", http.StatusOK, res.StatusCode) - } + assert.NoError(t, err, "Error accessing sc proxy: %s", err) + assert.Equal(t, http.StatusOK, res.StatusCode, "Expected http %d, got %d", http.StatusOK, res.StatusCode) + defer res.Body.Close() body, err := ioutil.ReadAll(res.Body) if err != nil { @@ -87,5 +81,25 @@ func TestSCProxy(t *testing.T) { if string(body) != greeting { t.Errorf("Expected %s, got %s", greeting, string(body)) } +} + +func TestDirectoryTraversal(t *testing.T) { + var wg sync.WaitGroup + + cfg := Config{ + scAddr: "http://"; + SCAddr, + frontendAddr: FrontAddr, + } + wg.Add(1) + go func() { + wg.Done() + Serve(cfg) + }() + + wg.Wait() + res, err := http.Get("http://"; + FrontAddr + "/..\\/main.go") + assert.NoError(t, err, "Error accessing frontend: %s", err) + assert.Equal(t, http.StatusNotFound, res.StatusCode, "Expected http status is 404") + _ = res.Body.Close() } diff --git a/go.mod b/go.mod index 1093441..ace45b6 100644 --- a/go.mod +++ b/go.mod @@ -33,8 +33,7 @@ require ( github.com/jonboulle/clockwork v0.2.2 // indirect github.com/karlseguin/ccache v2.0.3-0.20170217060820-3ba9789cfd2c+incompatible github.com/karlseguin/expect v1.0.7 // indirect - github.com/labstack/echo v3.2.2-0.20180316170059-a5d81b8d4a62+incompatible - github.com/labstack/echo/v4 v4.1.17 + github.com/labstack/echo/v4 v4.1.18-0.20201218141459-936c48a17e97 github.com/mattn/go-runewidth v0.0.9 // indirect github.com/natefinch/lumberjack v0.0.0-20170531160350-a96e63847dc3 github.com/olekukonko/tablewriter v0.0.0-20180506121414-d4647c9c7a84
