Add additional test case for new CodeOcean::File#read method

2022-09-02 17:52:24 +02:00
parent b6837e9539
commit 9050f02b7a
2 changed files with 21 additions and 2 deletions
--- a/app/models/code_ocean/file.rb
+++ b/app/models/code_ocean/file.rb
@ -58,7 +58,7 @@ module CodeOcean

    def read
      if native_file?
-        valid = Pathname(native_file.current_path).fnmatch? ::File.join(native_file.root, '**')
+        valid = Pathname(native_file.current_path).realpath.fnmatch? ::File.join(native_file.root, '**')
        return nil unless valid

        native_file.read
--- a/spec/models/code_ocean/file_spec.rb
+++ b/spec/models/code_ocean/file_spec.rb
@ -69,7 +69,26 @@ describe CodeOcean::File do
    end

    context 'when the path has been modified' do
-      before { file.update(native_file: '../../../../secrets.yml') }
+      before do
+        file.update_column(:native_file, '../../../../secrets.yml') # rubocop:disable Rails/SkipsModelValidations
+        file.reload
+      end
+
+      it 'does not read the native file' do
+        expect(file.read).not_to be_present
+      end
+    end
+
+    context 'when a symlink is used' do
+      let(:fake_upload_location) { File.join(CarrierWave::Uploader::Base.new.root, 'uploads', 'files', 'secrets.yml') }
+
+      before do
+        File.symlink Rails.root.join('config/secrets.yml'), fake_upload_location
+        file.update_column(:native_file, '../secrets.yml') # rubocop:disable Rails/SkipsModelValidations
+        file.reload
+      end
+
+      after { File.delete(fake_upload_location) }

      it 'does not read the native file' do
        expect(file.read).not_to be_present