added testing

2026-05-16 23:48:57 +02:00
parent 23c62fb1e6
commit f1d5c4a4fd
16 changed files with 1014 additions and 119 deletions
@@ -23,10 +23,8 @@ pub struct UploadQuery {
 /// Allowed upload extensions. SVG, HTML, JS, executables intentionally absent —
 /// /uploads/* is served as-is, so any active content there is XSS waiting to happen.
 const ALLOWED_EXTS: &[&str] = &[
-    "jpg", "jpeg", "png", "webp", "gif", "avif",
-    "pdf", "txt", "md",
-    "mp3", "wav", "ogg",
-    "mp4", "webm", "mov",
+    "jpg", "jpeg", "png", "webp", "gif", "avif", "pdf", "txt", "md", "mp3", "wav", "ogg", "mp4",
+    "webm", "mov",
 ];

 fn validate_filename(name: &str) -> Result<(), AppError> {
@@ -77,9 +75,9 @@ pub async fn delete_upload(
    let uploads_dir = state.data_dir.join("uploads");
    let file_path = uploads_dir.join(&filename);

-    let canonical_dir = fs::canonicalize(&uploads_dir).await.map_err(|e| {
-        AppError::Internal("Path resolution".to_string(), Some(e.to_string()))
-    })?;
+    let canonical_dir = fs::canonicalize(&uploads_dir)
+        .await
+        .map_err(|e| AppError::Internal("Path resolution".to_string(), Some(e.to_string())))?;
    if let Ok(canonical_file) = fs::canonicalize(&file_path).await {
        if !canonical_file.starts_with(&canonical_dir) {
            warn!("Refused delete outside uploads dir: {}", filename);
@@ -209,9 +207,9 @@ pub async fn upload_file(
        };

        // Final containment check.
-        let canonical_dir = fs::canonicalize(&uploads_dir).await.map_err(|e| {
-            AppError::Internal("Path resolution".to_string(), Some(e.to_string()))
-        })?;
+        let canonical_dir = fs::canonicalize(&uploads_dir)
+            .await
+            .map_err(|e| AppError::Internal("Path resolution".to_string(), Some(e.to_string())))?;
        if let Some(parent) = final_path.parent() {
            let canonical_parent = fs::canonicalize(parent).await.map_err(|e| {
                AppError::Internal("Path resolution".to_string(), Some(e.to_string()))