function FileUploadResourceTestBase::testFileUploadStrippedFilePath

Same name and namespace in other branches
  1. 9 core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php \Drupal\Tests\rest\Functional\FileUploadResourceTestBase::testFileUploadStrippedFilePath()
  2. 8.9.x core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php \Drupal\Tests\rest\Functional\FileUploadResourceTestBase::testFileUploadStrippedFilePath()
  3. 11.x core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php \Drupal\Tests\rest\Functional\FileUploadResourceTestBase::testFileUploadStrippedFilePath()

Tests using the file upload route with any path prefixes being stripped.

See also

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Dispo…

File

core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php, line 366

Class

FileUploadResourceTestBase
Tests binary data file upload route.

Namespace

Drupal\Tests\rest\Functional

Code

public function testFileUploadStrippedFilePath() : void {
  $this->initAuthentication();
  $this->provisionResource([
    static::$format,
  ], static::$auth ? [
    static::$auth,
  ] : [], [
    'POST',
  ]);
  $this->setUpAuthorization('POST');
  $uri = Url::fromUri('base:' . static::$postUri);
  $response = $this->fileRequest($uri, $this->testFileData, [
    'Content-Disposition' => 'file; filename="directory/example.txt"',
  ]);
  $this->assertSame(201, $response->getStatusCode());
  $expected = $this->getExpectedNormalizedEntity();
  $this->assertResponseData($expected, $response);
  // Check the actual file data. It should have been written to the configured
  // directory, not /foobar/directory/example.txt.
  $this->assertSame($this->testFileData, file_get_contents('public://foobar/example.txt'));
  $response = $this->fileRequest($uri, $this->testFileData, [
    'Content-Disposition' => 'file; filename="../../example_2.txt"',
  ]);
  $this->assertSame(201, $response->getStatusCode());
  $expected = $this->getExpectedNormalizedEntity(2, 'example_2.txt', TRUE);
  $this->assertResponseData($expected, $response);
  // Check the actual file data. It should have been written to the configured
  // directory, not /foobar/directory/example.txt.
  $this->assertSame($this->testFileData, file_get_contents('public://foobar/example_2.txt'));
  $this->assertFileDoesNotExist('../../example_2.txt');
  // Check a path from the root. Extensions have to be empty to allow a file
  // with no extension to pass validation.
  $this->field
    ->setSetting('file_extensions', '')
    ->save();
  $this->refreshTestStateAfterRestConfigChange();
  $response = $this->fileRequest($uri, $this->testFileData, [
    'Content-Disposition' => 'file; filename="/etc/passwd"',
  ]);
  $this->assertSame(201, $response->getStatusCode());
  $expected = $this->getExpectedNormalizedEntity(3, 'passwd', TRUE);
  // This mime will be guessed as there is no extension.
  $expected['filemime'][0]['value'] = 'application/octet-stream';
  $this->assertResponseData($expected, $response);
  // Check the actual file data. It should have been written to the configured
  // directory, not /foobar/directory/example.txt.
  $this->assertSame($this->testFileData, file_get_contents('public://foobar/passwd'));
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.