projects / akkoma / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch 'develop' into foxing-patch-1
[akkoma] / test / pleroma / web / mastodon_api / controllers / media_controller_test.exs
diff --git a/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs
index ff988a7fdcb70c5227731ab791d0957234cd7f79..7ff8cff6bd0b9e67400986c5a3cc1fa5449745f7 100644 (file)
--- a/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs
+++ b/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs
@@ -13,6 +13,8 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
 
   describe "Upload media" do
     setup do: oauth_access(["write:media"])
+    setup do: clear_config([Pleroma.Upload, :uploader], Pleroma.Uploaders.Local)
+    setup do: clear_config([Pleroma.Uploaders.Local, :uploads], "uploads")
 
     setup do
       image = %Plug.Upload{
@@ -122,6 +124,23 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
 
       assert :ok == File.rm(Path.absname("test/tmp/large_binary.data"))
     end
+
+    test "Do not allow nested filename", %{conn: conn, image: image} do
+      image = %Plug.Upload{
+        image
+        | filename: "../../../../../nested/file.jpg"
+      }
+
+      desc = "Description of the image"
+
+      media =
+        conn
+        |> put_req_header("content-type", "multipart/form-data")
+        |> post("/api/v1/media", %{"file" => image, "description" => desc})
+        |> json_response_and_validate_schema(:ok)
+
+      refute Regex.match?(~r"/nested/", media["url"])
+    end
   end
 
   describe "Update media description" do
Fork of https://akkoma.dev/AkkomaGang/akkoma.git