add test for pathTraversal

commercetools/commercetools-sdk-java-api/src/integrationTest/java/commercetools/cart/CartQueryTests.java

@@ -15,6 +15,8 @@
 import commercetools.discount_code.DiscountCodeFixtures;
 import commercetools.utils.CommercetoolsTestUtils;
 
+import io.vrap.rmf.base.client.error.NotFoundException;
+
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
 
@@ -151,6 +153,16 @@ public void expandDiscountCodeReference() {
         });
     }
 
+    @Test
+    public void pathTraversal() {
+        CartsFixtures.withCart(cart -> {
+            NotFoundException e = org.junit.jupiter.api.Assertions.assertThrows(NotFoundException.class, () -> {
+                CommercetoolsTestUtils.getProjectApiRoot().carts().withId("../categories").get().executeBlocking();
+            });
+            Assertions.assertThat(e.getMessage()).contains("..%2Fcategories");
+        });
+    }
+
     private void withUpdateableCartAndDiscount(final BiFunction<Cart, DiscountCode, Cart> function) {
         DiscountCodeFixtures
                 .withUpdateableDiscountCode(discountCodeDraftBuilder -> discountCodeDraftBuilder.isActive(true)

commercetools/commercetools-sdk-java-api/src/test/java/com/commercetools/EncodePathParamTest.java

@@ -0,0 +1,21 @@
+
+package com.commercetools;
+
+import com.commercetools.api.client.ProjectApiRoot;
+import com.commercetools.api.defaultconfig.ApiRootBuilder;
+
+import io.vrap.rmf.base.client.ApiHttpRequest;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+public class EncodePathParamTest {
+    @Test
+    public void testPathTraversal() {
+        final ProjectApiRoot project = ApiRootBuilder.of().withApiBaseUrl("").build("test");
+
+        final ApiHttpRequest httpRequest = project.carts().withId("../categories").get().createHttpRequest();
+        Assertions.assertThat(httpRequest.getUri().toString()).isEqualTo("test/carts/..%2Fcategories");
+    }
+
+}