You are here

public function FileUploadResourceTestBase::testFileUploadStrippedFilePath in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php \Drupal\Tests\rest\Functional\FileUploadResourceTestBase::testFileUploadStrippedFilePath()
  2. 10 core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php \Drupal\Tests\rest\Functional\FileUploadResourceTestBase::testFileUploadStrippedFilePath()

Tests using the file upload route with any path prefixes being stripped.

See also

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Dispos...

File

core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php, line 360

Class

FileUploadResourceTestBase
Tests binary data file upload route.

Namespace

Drupal\Tests\rest\Functional

Code

public function testFileUploadStrippedFilePath() {
  $this
    ->initAuthentication();
  $this
    ->provisionResource([
    static::$format,
  ], static::$auth ? [
    static::$auth,
  ] : [], [
    'POST',
  ]);
  $this
    ->setUpAuthorization('POST');
  $uri = Url::fromUri('base:' . static::$postUri);
  $response = $this
    ->fileRequest($uri, $this->testFileData, [
    'Content-Disposition' => 'file; filename="directory/example.txt"',
  ]);
  $this
    ->assertSame(201, $response
    ->getStatusCode());
  $expected = $this
    ->getExpectedNormalizedEntity();
  $this
    ->assertResponseData($expected, $response);

  // Check the actual file data. It should have been written to the configured
  // directory, not /foobar/directory/example.txt.
  $this
    ->assertSame($this->testFileData, file_get_contents('public://foobar/example.txt'));
  $response = $this
    ->fileRequest($uri, $this->testFileData, [
    'Content-Disposition' => 'file; filename="../../example_2.txt"',
  ]);
  $this
    ->assertSame(201, $response
    ->getStatusCode());
  $expected = $this
    ->getExpectedNormalizedEntity(2, 'example_2.txt', TRUE);
  $this
    ->assertResponseData($expected, $response);

  // Check the actual file data. It should have been written to the configured
  // directory, not /foobar/directory/example.txt.
  $this
    ->assertSame($this->testFileData, file_get_contents('public://foobar/example_2.txt'));
  $this
    ->assertFileDoesNotExist('../../example_2.txt');

  // Check a path from the root. Extensions have to be empty to allow a file
  // with no extension to pass validation.
  $this->field
    ->setSetting('file_extensions', '')
    ->save();
  $this
    ->refreshTestStateAfterRestConfigChange();
  $response = $this
    ->fileRequest($uri, $this->testFileData, [
    'Content-Disposition' => 'file; filename="/etc/passwd"',
  ]);
  $this
    ->assertSame(201, $response
    ->getStatusCode());
  $expected = $this
    ->getExpectedNormalizedEntity(3, 'passwd', TRUE);

  // This mime will be guessed as there is no extension.
  $expected['filemime'][0]['value'] = 'application/octet-stream';
  $this
    ->assertResponseData($expected, $response);

  // Check the actual file data. It should have been written to the configured
  // directory, not /foobar/directory/example.txt.
  $this
    ->assertSame($this->testFileData, file_get_contents('public://foobar/passwd'));
}