test(utils): cover path verification, sanitization, and unique naming#9978
Merged
Conversation
pkg/utils/path.go provides the security primitives for download paths
(VerifyPath, InTrustedRoot) and the file-naming helpers used by every
import flow (SanitizeFileName, GenerateUniqueFileName). None of them had
test coverage, so a future regression in the traversal check or in the
".." stripping inside SanitizeFileName would land unnoticed.
The new specs pin the lexical contract for each helper:
- VerifyPath accepts strict descendants and inner traversal that stays
inside the base, rejects "..", compound traversal, and the base path
itself. An explicit spec documents that the check is purely lexical
(filepath.Clean, not EvalSymlinks) so any future caller that needs
symlink-aware defence knows to EvalSymlinks first.
- InTrustedRoot rejects the trusted root and sibling directories,
accepts deeply nested descendants.
- SanitizeFileName covers the leading-directory and absolute-prefix
paths plus the embedded ".." case ("foo..bar" -> "foobar") that the
Clean+Base layer alone would leave intact.
- GenerateUniqueFileName covers the no-collision, single-collision,
walk-the-counter, and empty-extension cases using GinkgoT().TempDir()
so the suite stays hermetic.
Assisted-by: Claude:claude-opus-4-7 [Claude Code]
Signed-off-by: TLoE419 <tloemizuchizu@gmail.com>
mudler
approved these changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pkg/utils/path.goprovides the security primitives for download paths (VerifyPath,InTrustedRoot) plus the file-naming helpers used by every import flow (SanitizeFileName,GenerateUniqueFileName). None of them had any test coverage, so a future regression in the traversal check or in the..stripping insideSanitizeFileNamewould land unnoticed.This PR adds
pkg/utils/path_test.gocovering all four helpers. No production code changes.What the new specs pin
VerifyPath— accepts strict descendants and inner traversal that stays inside the base; rejects.., compound traversal, and the base path itself. An explicit spec documents that the check is purely lexical (filepath.Clean, notEvalSymlinks), so any future caller that needs symlink-aware defence knows toEvalSymlinksfirst.InTrustedRoot— rejects the trusted root itself and sibling directories; accepts deeply nested descendants.SanitizeFileName— covers the leading-directory and absolute-prefix paths plus the embedded..case (foo..bar→foobar) that theClean+Baselayer alone would leave intact.GenerateUniqueFileName— covers the no-collision, single-collision, walk-the-counter, and empty-extension cases. All file-touching specs useGinkgoT().TempDir()so the suite stays hermetic.Test plan
go test ./pkg/utils/...— 47/47 specs pass (24 new, 23 pre-existing)go vet ./pkg/utils/...cleanpackage utils_test,Describe/It, no stdlibtestingcalls)