From 8185f4dfdab578d644504a4f05e53feac42e6e40 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Wed, 10 Jul 2019 03:14:30 +0200
Subject: [PATCH] Test getFile inner_path security

---
 src/Test/TestFileRequest.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/Test/TestFileRequest.py b/src/Test/TestFileRequest.py
index ef28ee96..6a8d634a 100644
--- a/src/Test/TestFileRequest.py
+++ b/src/Test/TestFileRequest.py
@@ -48,6 +48,12 @@ class TestFileRequest:
         response = connection.request("getFile", {"site": site.address, "inner_path": "content.json", "location": 0, "file_size": 1234})
         assert "File size does not match" in response["error"]
 
+        # Invalid path
+        for path in ["../users.json", "./../users.json", "data/../content.json", ".../users.json"]:
+            for sep in ["/", "\\"]:
+                response = connection.request("getFile", {"site": site.address, "inner_path": path.replace("/", sep), "location": 0})
+                assert response["error"] == 'File read exception'
+
         connection.close()
         client.stop()