X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fpleroma%2Fweb%2Fmastodon_api%2Fcontrollers%2Fmedia_controller_test.exs;h=7ff8cff6bd0b9e67400986c5a3cc1fa5449745f7;hb=c2ae3273d5d8667967891e9c1672c653188e5446;hp=ff988a7fdcb70c5227731ab791d0957234cd7f79;hpb=fc6ab78a84b1ef384fa48349e792921364de5df9;p=akkoma

diff --git a/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs
index ff988a7fd..7ff8cff6b 100644
--- a/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs
+++ b/test/pleroma/web/mastodon_api/controllers/media_controller_test.exs
@@ -13,6 +13,8 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
 
   describe "Upload media" do
     setup do: oauth_access(["write:media"])
+    setup do: clear_config([Pleroma.Upload, :uploader], Pleroma.Uploaders.Local)
+    setup do: clear_config([Pleroma.Uploaders.Local, :uploads], "uploads")
 
     setup do
       image = %Plug.Upload{
@@ -122,6 +124,23 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
 
       assert :ok == File.rm(Path.absname("test/tmp/large_binary.data"))
     end
+
+    test "Do not allow nested filename", %{conn: conn, image: image} do
+      image = %Plug.Upload{
+        image
+        | filename: "../../../../../nested/file.jpg"
+      }
+
+      desc = "Description of the image"
+
+      media =
+        conn
+        |> put_req_header("content-type", "multipart/form-data")
+        |> post("/api/v1/media", %{"file" => image, "description" => desc})
+        |> json_response_and_validate_schema(:ok)
+
+      refute Regex.match?(~r"/nested/", media["url"])
+    end
   end
 
   describe "Update media description" do