function FileUploadResourceTestBase::testFileUploadStrippedFilePath

Same name in other branches
  1. 9 core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php \Drupal\Tests\rest\Functional\FileUploadResourceTestBase::testFileUploadStrippedFilePath()
  2. 8.9.x core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php \Drupal\Tests\rest\Functional\FileUploadResourceTestBase::testFileUploadStrippedFilePath()
  3. 11.x core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php \Drupal\Tests\rest\Functional\FileUploadResourceTestBase::testFileUploadStrippedFilePath()

Tests using the file upload route with any path prefixes being stripped.

See also

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Dispo…

File

core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php, line 366

Class

FileUploadResourceTestBase
Tests binary data file upload route.

Namespace

Drupal\Tests\rest\Functional

Code

public function testFileUploadStrippedFilePath() : void {
    $this->initAuthentication();
    $this->provisionResource([
        static::$format,
    ], static::$auth ? [
        static::$auth,
    ] : [], [
        'POST',
    ]);
    $this->setUpAuthorization('POST');
    $uri = Url::fromUri('base:' . static::$postUri);
    $response = $this->fileRequest($uri, $this->testFileData, [
        'Content-Disposition' => 'file; filename="directory/example.txt"',
    ]);
    $this->assertSame(201, $response->getStatusCode());
    $expected = $this->getExpectedNormalizedEntity();
    $this->assertResponseData($expected, $response);
    // Check the actual file data. It should have been written to the configured
    // directory, not /foobar/directory/example.txt.
    $this->assertSame($this->testFileData, file_get_contents('public://foobar/example.txt'));
    $response = $this->fileRequest($uri, $this->testFileData, [
        'Content-Disposition' => 'file; filename="../../example_2.txt"',
    ]);
    $this->assertSame(201, $response->getStatusCode());
    $expected = $this->getExpectedNormalizedEntity(2, 'example_2.txt', TRUE);
    $this->assertResponseData($expected, $response);
    // Check the actual file data. It should have been written to the configured
    // directory, not /foobar/directory/example.txt.
    $this->assertSame($this->testFileData, file_get_contents('public://foobar/example_2.txt'));
    $this->assertFileDoesNotExist('../../example_2.txt');
    // Check a path from the root. Extensions have to be empty to allow a file
    // with no extension to pass validation.
    $this->field
        ->setSetting('file_extensions', '')
        ->save();
    $this->refreshTestStateAfterRestConfigChange();
    $response = $this->fileRequest($uri, $this->testFileData, [
        'Content-Disposition' => 'file; filename="/etc/passwd"',
    ]);
    $this->assertSame(201, $response->getStatusCode());
    $expected = $this->getExpectedNormalizedEntity(3, 'passwd', TRUE);
    // This mime will be guessed as there is no extension.
    $expected['filemime'][0]['value'] = 'application/octet-stream';
    $this->assertResponseData($expected, $response);
    // Check the actual file data. It should have been written to the configured
    // directory, not /foobar/directory/example.txt.
    $this->assertSame($this->testFileData, file_get_contents('public://foobar/passwd'));
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.