xuang7 commented on code in PR #4117:
URL: https://github.com/apache/texera/pull/4117#discussion_r2669666392
##########
file-service/src/test/scala/org/apache/texera/service/resource/DatasetResourceSpec.scala:
##########
@@ -1328,4 +1328,180 @@ class DatasetResourceSpec
val part1 = fetchPartRows(uploadId).find(_.getPartNumber == 1).get
part1.getEtag.trim should not be ""
}
+
+ //
===========================================================================
+ // Cover Image Tests
+ //
===========================================================================
+
+ "updateDatasetCoverImage" should "reject path traversal attempts" in {
+ val maliciousPaths = Seq(
+ "../../../etc/passwd",
+ "v1/../../secret.txt",
+ "../escape.jpg"
+ )
+
+ maliciousPaths.foreach { path =>
+ val request = DatasetResource.CoverImageRequest(path)
+
+ assertThrows[BadRequestException] {
+ datasetResource.updateDatasetCoverImage(
+ baseDataset.getDid,
+ request,
+ sessionUser
+ )
+ }
+ }
+ }
+
+ it should "reject absolute paths" in {
+ val absolutePaths = Seq(
+ "/etc/passwd",
+ "/var/log/system.log"
+ )
+
+ absolutePaths.foreach { path =>
+ val request = DatasetResource.CoverImageRequest(path)
+
+ assertThrows[BadRequestException] {
+ datasetResource.updateDatasetCoverImage(
+ baseDataset.getDid,
+ request,
+ sessionUser
+ )
+ }
+ }
+ }
+
+ it should "reject invalid file types" in {
+ val invalidPaths = Seq(
+ "v1/script.js",
+ "v1/document.pdf",
+ "v1/data.csv"
+ )
+
+ invalidPaths.foreach { path =>
+ val request = DatasetResource.CoverImageRequest(path)
+
+ assertThrows[BadRequestException] {
+ datasetResource.updateDatasetCoverImage(
+ baseDataset.getDid,
+ request,
+ sessionUser
+ )
+ }
+ }
+ }
+
+ it should "reject empty or null cover image path" in {
+ assertThrows[BadRequestException] {
+ datasetResource.updateDatasetCoverImage(
+ baseDataset.getDid,
+ DatasetResource.CoverImageRequest(""),
+ sessionUser
+ )
+ }
+
+ assertThrows[BadRequestException] {
+ datasetResource.updateDatasetCoverImage(
+ baseDataset.getDid,
+ DatasetResource.CoverImageRequest(null),
+ sessionUser
+ )
+ }
+ }
+
+ it should "reject when user lacks WRITE access" in {
+ val request = DatasetResource.CoverImageRequest("v1/cover.jpg")
+
+ assertThrows[ForbiddenException] {
+ datasetResource.updateDatasetCoverImage(
+ baseDataset.getDid,
+ request,
+ sessionUser2
+ )
+ }
+ }
+
+ "getDatasetCover" should "reject private dataset cover for anonymous users"
in {
Review Comment:
Yes, this is a test case for a private dataset cover image being accessed by
an anonymous user.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
