function FileUploadTest::testFileUploadStrippedFilePath

Same name and namespace in other branches
  1. 8.9.x core/modules/jsonapi/tests/src/Functional/FileUploadTest.php \Drupal\Tests\jsonapi\Functional\FileUploadTest::testFileUploadStrippedFilePath()
  2. 10 core/modules/jsonapi/tests/src/Functional/FileUploadTest.php \Drupal\Tests\jsonapi\Functional\FileUploadTest::testFileUploadStrippedFilePath()
  3. 11.x core/modules/jsonapi/tests/src/Functional/FileUploadTest.php \Drupal\Tests\jsonapi\Functional\FileUploadTest::testFileUploadStrippedFilePath()

Tests using the file upload route with any path prefixes being stripped.

See also

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Dispo…

File

core/modules/jsonapi/tests/src/Functional/FileUploadTest.php, line 482

Class

FileUploadTest
Tests binary data file upload route.

Namespace

Drupal\Tests\jsonapi\Functional

Code

public function testFileUploadStrippedFilePath() {
    $this->setUpAuthorization('POST');
    $this->config('jsonapi.settings')
        ->set('read_only', FALSE)
        ->save(TRUE);
    $uri = Url::fromUri('base:' . static::$postUri);
    $response = $this->fileRequest($uri, $this->testFileData, [
        'Content-Disposition' => 'file; filename="directory/example.txt"',
    ]);
    $this->assertSame(201, $response->getStatusCode());
    $expected = $this->getExpectedDocument();
    $this->assertResponseData($expected, $response);
    // Check the actual file data. It should have been written to the configured
    // directory, not /foobar/directory/example.txt.
    $this->assertSame($this->testFileData, file_get_contents('public://foobar/example.txt'));
    $response = $this->fileRequest($uri, $this->testFileData, [
        'Content-Disposition' => 'file; filename="../../example_2.txt"',
    ]);
    $this->assertSame(201, $response->getStatusCode());
    $expected = $this->getExpectedDocument(2, 'example_2.txt', TRUE);
    $this->assertResponseData($expected, $response);
    // Check the actual file data. It should have been written to the configured
    // directory, not /foobar/directory/example.txt.
    $this->assertSame($this->testFileData, file_get_contents('public://foobar/example_2.txt'));
    $this->assertFileDoesNotExist('../../example_2.txt');
    // Check a path from the root. Extensions have to be empty to allow a file
    // with no extension to pass validation.
    $this->field
        ->setSetting('file_extensions', '')
        ->save();
    $this->rebuildAll();
    $response = $this->fileRequest($uri, $this->testFileData, [
        'Content-Disposition' => 'file; filename="/etc/passwd"',
    ]);
    $this->assertSame(201, $response->getStatusCode());
    $expected = $this->getExpectedDocument(3, 'passwd', TRUE);
    // This mime will be guessed as there is no extension.
    $expected['data']['attributes']['filemime'] = 'application/octet-stream';
    $this->assertResponseData($expected, $response);
    // Check the actual file data. It should have been written to the configured
    // directory, not /foobar/directory/example.txt.
    $this->assertSame($this->testFileData, file_get_contents('public://foobar/passwd'));
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.