Skip to content

Add negative test cases for path-traversal protection in update.retrieve()#44

Merged
rilma merged 2 commits intofeatures/upgrade-ci-cdfrom
copilot/sub-pr-40
Feb 21, 2026
Merged

Add negative test cases for path-traversal protection in update.retrieve()#44
rilma merged 2 commits intofeatures/upgrade-ci-cdfrom
copilot/sub-pr-40

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 21, 2026
edited
Loading

The path-traversal protection in update.retrieve() lacked test coverage for failure paths, leaving the security-sensitive safe_extract logic unverified against regression.

Changes

  • New helper _make_tarball_with_traversal — builds tar fixtures with controlled (malicious) member names for use in negative tests
  • test_retrieve_path_traversal_raises — asserts ValueError is raised when a tar member uses a relative ../ escape path
  • test_retrieve_absolute_path_in_tar_raises — asserts ValueError is raised when a tar member uses an absolute path (e.g. /etc/passwd) outside the target directory
def test_retrieve_path_traversal_raises(self):
    with tempfile.TemporaryDirectory() as tmpdir:
        fake_path = self._make_tarball_with_traversal(
            tmpdir, "traversal.tar", "../malicious.txt"
        )
        with patch("pyiri2016.api.update.wget.download", return_value=fake_path):
            with self.assertRaises(ValueError):
                update.retrieve("http://example.com", "traversal.tar", directory=tmpdir)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Feb 21, 2026
Merged
@rilma
Add negative test cases for path-traversal protection in update.retri…
707a6d9 
…eve()

Co-authored-by: rilma <14822065+rilma@users.noreply.github.com>
Copilot AI changed the title [WIP] Update CI/CD pipeline based on review feedback Add negative test cases for path-traversal protection in update.retrieve() Feb 21, 2026
Copilot AI requested a review from rilma February 21, 2026 21:54
@rilma rilma marked this pull request as ready for review February 21, 2026 21:58
@rilma rilma merged commit 86840ed into features/upgrade-ci-cd Feb 21, 2026
@rilma rilma deleted the copilot/sub-pr-40 branch February 21, 2026 21:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@rilma rilma rilma approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rilma rilma

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rilma