Skip to content

test(ensemble): upload path guard and view-group index regression coverage#2234

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/regression-test-coverage-5271
Draft

test(ensemble): upload path guard and view-group index regression coverage#2234
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/regression-test-coverage-5271

Conversation

@cursor
Copy link
Copy Markdown

@cursor cursor Bot commented May 25, 2026

Description

Adds focused unit tests around recently merged security and navigation hardening: multipart upload path traversal rejection and ViewGroup index clamping.

Related Issue

Regression test coverage (automation).

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Refactoring (no functional changes)
  • Tests only (no production code changes)

What Has Changed

  • modules/ensemble/test/upload_path_security_test.dart: Extended uploadPathContainsParentSegment cases (double-dot in filenames vs segment traversal, backslash normalization). Added UploadUtils.uploadFiles test proving a .. path throws FormatException before any network I/O.
  • modules/ensemble/test/safe_view_group_payload_index_test.dart: Assert safeViewGroupPayloadIndex returns 0 when payloadLength is negative (defensive contract alongside empty payloads).

Risky behavior now covered

  1. Upload path traversal: Ensures photo..jpg-style names stay allowed while real .. segments are blocked, and that uploadFiles fails fast on malicious paths (no reliance on the helper alone).
  2. Stale ViewGroup index: Documents that invalid negative payload lengths clamp to 0, matching the payloadLength <= 0 guard used when menus shrink or payloads are inconsistent.

Why this reduces regression risk

  • Upload paths may originate from partially trusted YAML/API bindings; a failing guard or refactor could silently resume reading arbitrary filesystem paths. The new uploadFiles test ties the guard to the actual upload entry point.
  • safeViewGroupPayloadIndex is shared across drawer, sidebar, and bottom navigation; explicit edge cases prevent accidental changes to the clamp contract.

How to Test

From modules/ensemble:

flutter test test/upload_path_security_test.dart test/safe_view_group_payload_index_test.dart

Note: The automation VM did not have the Flutter SDK on PATH, so the above was not executed here. Please run these targets in CI or locally before merge.

Screenshots / Videos

N/A

Checklist

  • I have run flutter analyze and addressed any new warnings
  • I have run flutter test and all tests pass
  • I have tested my changes on the relevant platform(s)
  • I have updated documentation if needed
  • My changes do not introduce new warnings or errors (test-only; analyzer not run in agent)
Open in Web View Automation 

@cursoragent @sharjeelyunus
test(ensemble): harden upload path guard and view-group index coverage
3cf399f 
Add edge-case assertions for uploadPathContainsParentSegment, verify
UploadUtils.uploadFiles rejects traversal paths before I/O, and cover
safeViewGroupPayloadIndex when payload length is non-positive.

Co-authored-by: Sharjeel Yunus <sharjeelyunus@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cursoragent