test: graphql server path injection

Signed-off-by: Jaeyeon Park <[email protected]>
litmuschaos · Oct 6, 2024 · a1dce5e · a1dce5e
1 parent d920302
commit a1dce5e
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 8 deletions.
diff --git a/chaoscenter/graphql/server/pkg/chaoshub/handler/handler_test.go b/chaoscenter/graphql/server/pkg/chaoshub/handler/handler_test.go
@@ -157,6 +157,14 @@ func TestDownloadRemoteHub(t *testing.T) {
 			},
 			isError: true,
 		},
+		{
+			name:      "path injection",
+			projectID: uuid.New().String(),
+			chaosHub: model.CreateRemoteChaosHub{
+				Name:    uuid.New().String() + "../path/injection",
+				RepoURL: "https://github.com/litmuschaos/chaos-charts/archive/refs/heads/master.zip",
+			},
+		},
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -209,6 +217,14 @@ func TestSyncRemoteRepo(t *testing.T) {
 			},
 			isError: true,
 		},
+		{
+			name:      "path injection",
+			projectID: uuid.New().String(),
+			chaosHub: model.CloningInput{
+				Name:    uuid.New().String() + "../path/injection",
+				RepoURL: "https://github.com/litmuschaos/chaos-charts/archive/refs/heads/master.zip",
+			},
+		},
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {

diff --git a/chaoscenter/graphql/server/pkg/chaoshub/ops/gitops_test.go b/chaoscenter/graphql/server/pkg/chaoshub/ops/gitops_test.go
@@ -39,16 +39,52 @@ func clearCloneRepository(projectID string) {
 
 // TestGetClonePath is used to test the GetClonePath function
 func TestGetClonePath(t *testing.T) {
-	// given
 	projectID := uuid.New().String()
-	chaosHubConfig := chaosHubOps.ChaosHubConfig{
-		ProjectID: projectID,
-		HubName:   "test",
+
+	testCases := []struct {
+		name      string
+		projectID string
+		hubName   string
+		isDefault bool
+		expected  string
+	}{
+		{
+			name:      "default hub",
+			projectID: projectID,
+			hubName:   "defaultHub",
+			isDefault: true,
+			expected:  "/tmp/default/defaultHub",
+		},
+		{
+			name:      "non-default hub",
+			projectID: projectID,
+			hubName:   "testHub",
+			isDefault: false,
+			expected:  "/tmp/" + projectID + "/testHub",
+		},
+		{
+			name:      "path injection",
+			projectID: projectID,
+			hubName:   "testHub/../Path/Injection",
+			isDefault: false,
+			expected:  "/tmp/" + projectID + "/testHubPathInjection",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// given
+			chaosHubConfig := chaosHubOps.ChaosHubConfig{
+				ProjectID: tc.projectID,
+				HubName:   tc.hubName,
+				IsDefault: tc.isDefault,
+			}
+			// when
+			path := chaosHubOps.GetClonePath(chaosHubConfig)
+			// then
+			assert.Equal(t, tc.expected, path)
+		})
 	}
-	// when
-	path := chaosHubOps.GetClonePath(chaosHubConfig)
-	// then
-	assert.Equal(t, "/tmp/"+projectID+"/test", path)
 }
 
 // TestGitConfigConstruct is used to test the GitConfigConstruct function