Add test demonstrating unsafe directory traversal

Author: jhlywa

test/elli_static_tests.erl

@@ -7,7 +7,9 @@ elli_static_test_() ->
      fun setup/0, fun teardown/1,
      [?_test(readme()),
       ?_test(no_file()),
-      ?_test(not_found())]}.
+      ?_test(not_found()),
+      ?_test(safe_traversal()),
+      ?_test(unsafe_traversal())]}.
 
 
 readme() ->
@@ -28,6 +30,23 @@ not_found() ->
     {ok, Response} = httpc:request("http://localhost:3000/not_found"),
     ?assertMatch({{"HTTP/1.1",404,"Not Found"}, _Headers, "Not Found"}, Response).
 
+safe_traversal() ->
+    {ok, Response} = httpc:request("http://localhost:3000/elli_static/"
+                                   "../elli_static/README.md"),
+    {ok, File} = file:read_file("README.md"),
+    Expected = binary_to_list(File),
+    ?assertEqual([integer_to_list(iolist_size(Expected))],
+                 proplists:get_all_values("content-length", element(2, Response))),
+    ?assertMatch({_Status, _Headers, Expected}, Response).
+
+unsafe_traversal() ->
+    %% compute the relative path to /etc/passwd
+    {ok, Cwd} = file:get_cwd(),
+    PasswdPath = [".." || _ <- filename:split(Cwd)] ++ ["etc", "passwd"],
+    Path = filename:join(PasswdPath),
+
+    {ok, Response} = httpc:request("http://localhost:3000/elli_static/" ++ Path),
+    ?assertMatch({{"HTTP/1.1",404,"Not Found"}, _Headers, "Not Found"}, Response).
 
 setup() ->
     {ok, Dir} = file:get_cwd(),