1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
use strict;
use warnings;
use Test::More import => ['!pass'];
use Dancer::Test;
# All these paths should return 404; if we get a file served, we have a
# directory traversal vulnerability!
my @try_paths = qw(
/css/../../secretfile
../secretfile
/etc/passwd
../../../../../../../../../../../../etc/passwd
);
plan tests => scalar @try_paths;
use Dancer ':syntax';
set public => path( dirname(__FILE__), 'static' );
my $public = setting('public');
for my $path (@try_paths) {
my $resp = Dancer::Test::_get_file_response( [ GET => $path ] );
ok !$resp, "Request to $path did not return a file response";
}
|
