fix: more test coverage

ferhatelmas · ferhatelmas · commit bf8efffd468f · 2026-03-06T10:41:01.000+01:00
Signed-off-by: ferhat elmas &lt;elmas.ferhat@gmail.com&gt;
diff --git a/src/test/limits.test.ts b/src/test/limits.test.ts
@@ -17,6 +17,10 @@ describe('isValidKey', () => {
     expect(isValidKey('invalid\x01name')).toBe(false)
   })
 
+  test('accepts DEL (0x7F) as a valid key character', () => {
+    expect(isValidKey('valid\x7Fname')).toBe(true)
+  })
+
   test('rejects non-characters U+FFFE and U+FFFF', () => {
     expect(isValidKey(`invalid${'\uFFFE'}`)).toBe(false)
     expect(isValidKey(`invalid${'\uFFFF'}`)).toBe(false)
diff --git a/src/test/object.test.ts b/src/test/object.test.ts
@@ -2431,6 +2431,34 @@ describe('testing retrieving signed URL', () => {
     expect(body.error).toBe('InvalidSignature')
   })
 
+  test('rejects double-encoded signed object paths', async () => {
+    const objectName = `public/signed-double-${randomUUID()}-일이삼.txt`
+    await seedObjectForRouteTest(objectName)
+
+    const urlToSign = `bucket2/${objectName}`
+    const jwtToken = await signJWT({ url: urlToSign }, jwtSecret, 100)
+    const encodedPath = urlToSign
+      .split('/')
+      .map((segment) => encodeURIComponent(segment))
+      .join('/')
+
+    const validResponse = await appInstance.inject({
+      method: 'GET',
+      url: `/object/sign/${encodedPath}?token=${jwtToken}`,
+    })
+    expect(validResponse.statusCode).toBe(200)
+
+    const doubleEncodedPath = encodedPath.replaceAll('%', '%25')
+    const doubleEncodedResponse = await appInstance.inject({
+      method: 'GET',
+      url: `/object/sign/${doubleEncodedPath}?token=${jwtToken}`,
+    })
+
+    expect(doubleEncodedResponse.statusCode).toBe(400)
+    const body = doubleEncodedResponse.json<{ error: string }>()
+    expect(body.error).toBe('InvalidSignature')
+  })
+
   test('get object without a token', async () => {
     const response = await appInstance.inject({
       method: 'GET',
diff --git a/src/test/render-routes.test.ts b/src/test/render-routes.test.ts
@@ -1,3 +1,4 @@
+import { randomUUID } from 'node:crypto'
 import { generateHS512JWK, SignedToken, signJWT, verifyJWT } from '@internal/auth'
 import axios from 'axios'
 import dotenv from 'dotenv'
@@ -194,4 +195,53 @@ describe('image rendering routes', () => {
     const body = response.json<{ error: string }>()
     expect(body.error).toBe('InvalidSignature')
   })
+
+  it('will reject double-encoded signed render paths', async () => {
+    const objectName = `authenticated/render-double-${randomUUID()}-일이삼.png`
+    const encodedObjectName = objectName
+      .split('/')
+      .map((segment) => encodeURIComponent(segment))
+      .join('/')
+
+    const uploadResponse = await appInstance.inject({
+      method: 'POST',
+      url: `/object/bucket2/${encodedObjectName}`,
+      payload: Buffer.from('render double-encoded test'),
+      headers: {
+        authorization: `Bearer ${process.env.SERVICE_KEY}`,
+        'content-type': 'image/png',
+        'x-upsert': 'true',
+      },
+    })
+    expect(uploadResponse.statusCode).toBe(200)
+
+    const signURLResponse = await appInstance.inject({
+      method: 'POST',
+      url: `/object/sign/bucket2/${encodedObjectName}`,
+      payload: {
+        expiresIn: 60000,
+        transform: {
+          width: 100,
+          height: 100,
+          resize: 'contain',
+        },
+      },
+      headers: {
+        authorization: `Bearer ${process.env.SERVICE_KEY}`,
+      },
+    })
+    expect(signURLResponse.statusCode).toBe(200)
+
+    const signedURL = signURLResponse.json<{ signedURL: string }>().signedURL
+    const signedURLParsed = new URL(signedURL, 'http://localhost')
+    const doubleEncodedPath = signedURLParsed.pathname.replaceAll('%', '%25')
+    const doubleEncodedResponse = await appInstance.inject({
+      method: 'GET',
+      url: `${doubleEncodedPath}${signedURLParsed.search}`,
+    })
+
+    expect(doubleEncodedResponse.statusCode).toBe(400)
+    const body = doubleEncodedResponse.json<{ error: string }>()
+    expect(body.error).toBe('InvalidSignature')
+  })
 })
diff --git a/src/test/s3-adapter.test.ts b/src/test/s3-adapter.test.ts
@@ -107,16 +107,14 @@ describe('S3Backend', () => {
       expect(mockSend).toHaveBeenCalledTimes(1)
       const command = mockSend.mock.calls[0][0] as CopyObjectCommand
       expect(command).toBeInstanceOf(CopyObjectCommand)
-      expect(command.input.CopySource).toBe(
-        encodeCopySourceByPathToken('test-bucket', sourceKey)
-      )
+      expect(command.input.CopySource).toBe(encodeCopySourceByPathToken('test-bucket', sourceKey))
       expect(command.input.CopySource).toContain('test-bucket/source%20path/')
       expect(command.input.CopySource).not.toContain('test-bucket%2F')
     })
   })
 
   describe('uploadPartCopy', () => {
-    test('should preserve "/" and encode path tokens in CopySource', async () => {
+    test('should preserve "/" and encode path tokens in CopySource for unicode source keys', async () => {
       const lastModified = new Date('2024-01-01T00:00:00.000Z')
       mockSend.mockResolvedValue({
         CopyPartResult: {
@@ -147,9 +145,7 @@ describe('S3Backend', () => {
       expect(mockSend).toHaveBeenCalledTimes(1)
       const command = mockSend.mock.calls[0][0] as UploadPartCopyCommand
       expect(command).toBeInstanceOf(UploadPartCopyCommand)
-      expect(command.input.CopySource).toBe(
-        encodeCopySourceByPathToken('test-bucket', sourceKey)
-      )
+      expect(command.input.CopySource).toBe(encodeCopySourceByPathToken('test-bucket', sourceKey))
       expect(command.input.CopySource).toContain('test-bucket/source%20path/folder/')
       expect(command.input.CopySource).not.toContain('test-bucket%2F')
       expect(command.input.CopySourceRange).toBe('bytes=0-1024')
diff --git a/src/test/signed-url-route.test.ts b/src/test/signed-url-route.test.ts
@@ -18,9 +18,9 @@ describe('signed URL route path verification', () => {
     const signedObjectPath = 'bucket2/authenticated/casestudy.png'
     const rawPath = `/render/image/sign/${encodeObjectPathForURL(signedObjectPath)}?token=jwt`
 
-    expect(
-      doesSignedTokenMatchRequestPath(rawPath, '/render/image/sign', signedObjectPath)
-    ).toBe(true)
+    expect(doesSignedTokenMatchRequestPath(rawPath, '/render/image/sign', signedObjectPath)).toBe(
+      true
+    )
   })
 
   test('rejects double-encoded request paths', () => {
diff --git a/src/test/webhook-filter.test.ts b/src/test/webhook-filter.test.ts
@@ -28,6 +28,26 @@ describe('webhook filter', () => {
 
     expect(disabled).toBe(false)
   })
+
+  test('does not match path-segment URL-encoded disableEvents entries from external config', () => {
+    const objectName = '폴더/子目录/파일-🙂-q?foo=1&bar=%25+plus;semi:colon,#frag.png'
+    const eventType = 'ObjectCreated:Post'
+    const encodedByPathSegment = objectName
+      .split('/')
+      .map((segment) => encodeURIComponent(segment))
+      .join('/')
+
+    const disabled = shouldDisableWebhookEvent(
+      [`Webhook:${eventType}:bucket6/${encodedByPathSegment}`],
+      eventType,
+      {
+        bucketId: 'bucket6',
+        name: objectName,
+      }
+    )
+
+    expect(disabled).toBe(false)
+  })
 })
 
 function disabledEvents(eventType: string, objectName: string) {
