honeyDueAPI/internal/services/path_utils_test.go

package services

import (
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestSafeResolvePath_Normal_Resolves(t *testing.T) {
	result, err := SafeResolvePath("/var/uploads", "images/photo.jpg")
	require.NoError(t, err)
	assert.Equal(t, "/var/uploads/images/photo.jpg", result)
}

func TestSafeResolvePath_SubdirPath_Resolves(t *testing.T) {
	result, err := SafeResolvePath("/var/uploads", "documents/2024/report.pdf")
	require.NoError(t, err)
	assert.Equal(t, "/var/uploads/documents/2024/report.pdf", result)
}

func TestSafeResolvePath_DotDotTraversal_Blocked(t *testing.T) {
	tests := []struct {
		name  string
		input string
	}{
		{"simple dotdot", "../etc/passwd"},
		{"nested dotdot", "../../etc/shadow"},
		{"embedded dotdot", "images/../../etc/passwd"},
		{"deep dotdot", "a/b/c/../../../../etc/passwd"},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			_, err := SafeResolvePath("/var/uploads", tt.input)
			assert.Error(t, err, "path traversal should be blocked: %s", tt.input)
		})
	}
}

func TestSafeResolvePath_AbsolutePath_Blocked(t *testing.T) {
	_, err := SafeResolvePath("/var/uploads", "/etc/passwd")
	assert.Error(t, err, "absolute paths should be blocked")
}

func TestSafeResolvePath_EmptyPath_Blocked(t *testing.T) {
	_, err := SafeResolvePath("/var/uploads", "")
	assert.Error(t, err, "empty paths should be blocked")
}

func TestSafeResolvePath_CurrentDir_Blocked(t *testing.T) {
	// "." resolves to the base dir itself — this is not a file, so block it
	_, err := SafeResolvePath("/var/uploads", ".")
	assert.Error(t, err, "bare current directory should be blocked")
}