describe "Upload media" do
setup do: oauth_access(["write:media"])
+ setup do: clear_config([Pleroma.Upload, :uploader], Pleroma.Uploaders.Local)
+ setup do: clear_config([Pleroma.Uploaders.Local, :uploads], "uploads")
setup do
image = %Plug.Upload{
assert :ok == File.rm(Path.absname("test/tmp/large_binary.data"))
end
+
+ test "Do not allow nested filename", %{conn: conn, image: image} do
+ image = %Plug.Upload{
+ image
+ | filename: "../../../../../nested/file.jpg"
+ }
+
+ desc = "Description of the image"
+
+ media =
+ conn
+ |> put_req_header("content-type", "multipart/form-data")
+ |> post("/api/v1/media", %{"file" => image, "description" => desc})
+ |> json_response_and_validate_schema(:ok)
+
+ refute Regex.match?(~r"/nested/", media["url"])
+ end
end
describe "Update media description" do