Disallow relative paths and specs

1 files changed, 27 insertions, 1 deletions

diff --git a/container-core/src/test/java/com/yahoo/restapi/PathTest.java b/container-core/src/test/java/com/yahoo/restapi/PathTest.java
index 0deb27ae0f2..5cbf80ff2ad 100644
--- a/container-core/src/test/java/com/yahoo/restapi/PathTest.java
+++ b/container-core/src/test/java/com/yahoo/restapi/PathTest.java
@@ -8,6 +8,7 @@ import java.net.URI;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
 
 /**
  * @author bratseth
@@ -64,8 +65,8 @@ public class PathTest {
     @Test
     public void testUrlEncodedPath() {
         assertTrue(new Path(URI.create("/a/%62/c")).matches("/a/b/c"));
-        assertTrue(new Path(URI.create("/a/%2e%2e/c")).matches("/a/../c"));
         assertFalse(new Path(URI.create("/a/b%2fc")).matches("/a/b/c"));
+        assertFalse(new Path(URI.create("/foo")).matches("/foo/bar/%2e%2e"));
 
         Path path = new Path(URI.create("/%61/%2f/%63"));
         assertTrue(path.matches("/a/{slash}/{c}"));
@@ -73,4 +74,29 @@ public class PathTest {
         assertEquals("c", path.get("c"));
     }
 
+    @Test
+    public void testInvalidPaths() {
+        assertInvalid(URI.create("/foo/../bar"));
+        assertInvalid(URI.create("/foo/%2e%2e/bar"));
+        assertInvalidPathSpec(URI.create("/foo/bar"), "/foo/bar/..");
+        assertInvalidPathSpec(URI.create("/foo/bar"), "/foo/../bar");
+    }
+
+    private void assertInvalid(URI uri) {
+        try {
+            new Path(uri);
+            fail("Expected exception");
+        } catch (IllegalArgumentException ignored) {
+        }
+    }
+
+    private void assertInvalidPathSpec(URI uri, String pathSpec) {
+        try {
+            Path path = new Path(uri);
+            path.matches(pathSpec);
+            fail("Expected exception");
+        } catch (IllegalArgumentException ignored) {
+        }
+    }
+
 }