From 57730187ede7e28051a52fce8eb95fe5fb7ac141 Mon Sep 17 00:00:00 2001
From: Tessa Walsh <tessa@bitarchivist.net>
Date: Thu, 31 Oct 2024 12:18:15 -0400
Subject: [PATCH] Add path traversal tests

---
 tests/test_integration.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tests/test_integration.py b/tests/test_integration.py
index e131ab3c..df1e44ef 100644
--- a/tests/test_integration.py
+++ b/tests/test_integration.py
@@ -516,6 +516,17 @@ def test_static_not_found(self):
 
         assert 'Static file not found: <b>notfound.css</b>' in resp.text
 
+    def test_path_traversal_not_found(self):
+        resp = self.testapp.get('/static/../../../../osfile.txt', status = 404)
+        assert resp.status_int == 404
+
+        assert 'Static file not found: <b>../../../../osfile.txt</b>' in resp.text
+
+        resp = self.testapp.get('/static%2F..%2F..%2F..%2F..%2Fosfile.txt', status = 404)
+        assert resp.status_int == 404
+
+        assert 'Static file not found: <b>..%2F..%2F..%2F..%2Fosfile.txt</b>' in resp.text
+
     def test_cdx_server_filters(self):
         resp = self.testapp.get('/pywb/cdx?url=http://www.iana.org/_css/2013.1/screen.css&filter=mime:warc/revisit&filter=filename:dupes.warc.gz')
         assert resp.content_type == 'text/x-cdxj'