Skip to content

test(security): add path traversal regression tests for WebviewAssetServer#567

Open
laileni-aws wants to merge 1 commit into
aws:mainfrom
laileni-aws:feat/webview-asset-traversal-tests
Open

test(security): add path traversal regression tests for WebviewAssetServer#567
laileni-aws wants to merge 1 commit into
aws:mainfrom
laileni-aws:feat/webview-asset-traversal-tests

Conversation

@laileni-aws

Copy link
Copy Markdown
Contributor

Summary

Add three security regression tests to WebviewAssetServerTest that lock in the path-traversal guard introduced in PR #562 (commit d38b578).

New tests

Test Asserts
rejectsPathTraversalWithForbidden A ../-style traversal request is rejected (400 or 403) and does NOT leak content from outside the base directory
rejectsInvalidPathWithBadRequest A percent-encoded null byte (%00) in the path yields 400
servesDeeplyNestedAssetWithoutOverBlocking A legitimate deeply-nested asset (js/vendor/lib.js) still serves 200, proving the guard does not over-block

Why

The StaticFileHandler path traversal guard is a security-critical invariant. Without a regression test, a future refactor could silently reopen the traversal vector. These tests ensure the invariant is permanently locked in.

Testing

All tests follow the existing @TempDir + HttpClient pattern already used in the file. CI (Maven/Tycho) validates.

…erver

Add three security regression tests to WebviewAssetServerTest:

- rejectsPathTraversalWithForbidden: verifies that a ../-style traversal
  request is rejected (400/403) and does not leak file contents from
  outside the served base directory.
- rejectsInvalidPathWithBadRequest: verifies that a percent-encoded null
  byte (%00) in the path yields a 400 Bad Request response.
- servesDeeplyNestedAssetWithoutOverBlocking: positive regression test
  confirming deeply-nested legitimate assets (js/vendor/lib.js) still
  serve 200, proving the guard does not over-block.

These tests lock in the security invariant from PR aws#562 (commit d38b578)
that a path traversal request cannot escape the base directory.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants