function FileUploadTest::testFileUploadStrippedFilePath

Tests using the file upload route with any path prefixes being stripped.

See also

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Dispo…

File

core/modules/jsonapi/tests/src/Functional/FileUploadTest.php, line 482

Class

FileUploadTest
Tests binary data file upload route.

Namespace

Drupal\Tests\jsonapi\Functional

Code

public function testFileUploadStrippedFilePath() {
  $this->setUpAuthorization('POST');
  $this->config('jsonapi.settings')
    ->set('read_only', FALSE)
    ->save(TRUE);
  $uri = Url::fromUri('base:' . static::$postUri);
  $response = $this->fileRequest($uri, $this->testFileData, [
    'Content-Disposition' => 'file; filename="directory/example.txt"',
  ]);
  $this->assertSame(201, $response->getStatusCode());
  $expected = $this->getExpectedDocument();
  $this->assertResponseData($expected, $response);
  // Check the actual file data. It should have been written to the configured
  // directory, not /foobar/directory/example.txt.
  $this->assertSame($this->testFileData, file_get_contents('public://foobar/example.txt'));
  $response = $this->fileRequest($uri, $this->testFileData, [
    'Content-Disposition' => 'file; filename="../../example_2.txt"',
  ]);
  $this->assertSame(201, $response->getStatusCode());
  $expected = $this->getExpectedDocument(2, 'example_2.txt', TRUE);
  $this->assertResponseData($expected, $response);
  // Check the actual file data. It should have been written to the configured
  // directory, not /foobar/directory/example.txt.
  $this->assertSame($this->testFileData, file_get_contents('public://foobar/example_2.txt'));
  $this->assertFileDoesNotExist('../../example_2.txt');
  // Check a path from the root. Extensions have to be empty to allow a file
  // with no extension to pass validation.
  $this->field
    ->setSetting('file_extensions', '')
    ->save();
  $this->rebuildAll();
  $response = $this->fileRequest($uri, $this->testFileData, [
    'Content-Disposition' => 'file; filename="/etc/passwd"',
  ]);
  $this->assertSame(201, $response->getStatusCode());
  $expected = $this->getExpectedDocument(3, 'passwd', TRUE);
  // This mime will be guessed as there is no extension.
  $expected['data']['attributes']['filemime'] = 'application/octet-stream';
  $this->assertResponseData($expected, $response);
  // Check the actual file data. It should have been written to the configured
  // directory, not /foobar/directory/example.txt.
  $this->assertSame($this->testFileData, file_get_contents('public://foobar/passwd'));
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.