Skip to content

test(ensemble): cover multipart upload path traversal rejection#2232

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/regression-test-coverage-853d
Draft

test(ensemble): cover multipart upload path traversal rejection#2232
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/regression-test-coverage-853d

Conversation

@cursor
Copy link
Copy Markdown

@cursor cursor Bot commented May 23, 2026

Description

Adds a regression test so UploadUtils.uploadFiles continues to reject file paths containing .. segments with FormatException before any multipart or network work runs. This locks in the recent upload security fix (security(upload): reject file paths with .. segments in multipart uploads).

Related Issue

N/A (scheduled regression coverage automation)

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would change existing functionality)
  • Documentation update
  • Refactoring (no functional changes)
  • Tests only

What Has Changed

  • Extended modules/ensemble/test/upload_path_security_test.dart with an async test that drives UploadUtils.uploadFiles using an ensemble File whose path contains parent-directory segments.

How to Test

  1. From modules/ensemble: flutter test test/upload_path_security_test.dart

Screenshots / Videos

N/A

Checklist

  • I have run flutter analyze and addressed any new warnings (Flutter SDK not available in this automation environment; CI should run analyze.)
  • I have run flutter test and all tests pass (not run locally here; please run the test file above in CI or locally.)
  • I have tested my changes on the relevant platform(s)
  • I have updated documentation if needed
  • My changes do not introduce new warnings or errors

Risky behavior now covered

Multipart uploads previously accepted disk paths from partially trusted inputs; rejecting .. segments prevents reading files outside the intended directory when building multipart requests.

Test files added/updated

  • modules/ensemble/test/upload_path_security_test.dart

Why this reduces regression risk

The helper uploadPathContainsParentSegment was already unit-tested, but a future refactor could remove or bypass the guard inside UploadUtils.uploadFiles while leaving the helper intact. This test asserts the upload pipeline still fails fast on traversal paths, with no dependency on network timing or a real HTTP server.

Open in Web View Automation 

@cursoragent @sharjeelyunus
test(ensemble): assert multipart upload rejects traversal paths
3410662 
Cover UploadUtils.uploadFiles so paths with `..` fail with FormatException
before any HTTP I/O, matching the upload security hardening.

Co-authored-by: Sharjeel Yunus <sharjeelyunus@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cursoragent