public function FileUploadTest::testFileUploadStrippedFilePath in Drupal 10
Same name and namespace in other branches
- 8 core/modules/jsonapi/tests/src/Functional/FileUploadTest.php \Drupal\Tests\jsonapi\Functional\FileUploadTest::testFileUploadStrippedFilePath()
- 9 core/modules/jsonapi/tests/src/Functional/FileUploadTest.php \Drupal\Tests\jsonapi\Functional\FileUploadTest::testFileUploadStrippedFilePath()
Tests using the file upload route with any path prefixes being stripped.
See also
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Dispos...
File
- core/
modules/ jsonapi/ tests/ src/ Functional/ FileUploadTest.php, line 482
Class
- FileUploadTest
- Tests binary data file upload route.
Namespace
Drupal\Tests\jsonapi\FunctionalCode
public function testFileUploadStrippedFilePath() {
$this
->setUpAuthorization('POST');
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$uri = Url::fromUri('base:' . static::$postUri);
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'file; filename="directory/example.txt"',
]);
$this
->assertSame(201, $response
->getStatusCode());
$expected = $this
->getExpectedDocument();
$this
->assertResponseData($expected, $response);
// Check the actual file data. It should have been written to the configured
// directory, not /foobar/directory/example.txt.
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/example.txt'));
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'file; filename="../../example_2.txt"',
]);
$this
->assertSame(201, $response
->getStatusCode());
$expected = $this
->getExpectedDocument(2, 'example_2.txt', TRUE);
$this
->assertResponseData($expected, $response);
// Check the actual file data. It should have been written to the configured
// directory, not /foobar/directory/example.txt.
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/example_2.txt'));
$this
->assertFileDoesNotExist('../../example_2.txt');
// Check a path from the root. Extensions have to be empty to allow a file
// with no extension to pass validation.
$this->field
->setSetting('file_extensions', '')
->save();
$this
->rebuildAll();
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'file; filename="/etc/passwd"',
]);
$this
->assertSame(201, $response
->getStatusCode());
$expected = $this
->getExpectedDocument(3, 'passwd', TRUE);
// This mime will be guessed as there is no extension.
$expected['data']['attributes']['filemime'] = 'application/octet-stream';
$this
->assertResponseData($expected, $response);
// Check the actual file data. It should have been written to the configured
// directory, not /foobar/directory/example.txt.
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/passwd'));
}