test/nginx: prevent request() from normalising paths by alxndrsn · Pull Request #1949 · getodk/central

alxndrsn · 2026-06-04T14:57:54Z

This will be useful for testing nginx config at some point, and very misleading if trying to test path normalisation differences and request() collapses path traversals.

What has been done to verify that this works as intended?

existing tests pass
checked with new tests relating to collapsed path-traversal

Why is this the best possible solution? Were any other approaches considered?

While not immediately used, this will be useful for testing nginx config at some point, and very misleading if trying to test path normalisation differences and request() collapses path traversals.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

No effect.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

No.

Before submitting this PR, please make sure you have:

branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

This will be useful for testing nginx config at some point, and very misleading if trying to test path normalisation differences if request() collapses path traversals.

test/nginx: prevent request() from normalising paths

df32700

This will be useful for testing nginx config at some point, and very misleading if trying to test path normalisation differences if request() collapses path traversals.

alxndrsn marked this pull request as ready for review June 4, 2026 15:01

matthew-white approved these changes Jun 5, 2026

View reviewed changes

Comment thread test/nginx/src/mocha/nginx.spec.js Outdated

Comment thread test/nginx/src/mocha/nginx.spec.js Outdated

Merge branch 'next' into allow-path-traversal

d096c04

alxndrsn mentioned this pull request Jun 6, 2026

test/nginx: extract request() and add testing #1955

Merged

2 tasks

alxndrsn and others added 6 commits June 6, 2026 10:27

Merge branch 'next' into allow-path-traversal

4c0ed4d

Merge branch 'next' into allow-path-traversal

88490a1

add test, fix bug

1a2c78e

document better

93a4f7d

remove blank line

d85e135

rename target

1c5d6e6

alxndrsn merged commit 4ec096d into getodk:next Jun 7, 2026
6 checks passed

alxndrsn deleted the allow-path-traversal branch June 7, 2026 11:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

test/nginx: prevent request() from normalising paths#1949

test/nginx: prevent request() from normalising paths#1949
alxndrsn merged 8 commits into
getodk:nextfrom
alxndrsn:allow-path-traversal

alxndrsn commented Jun 4, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

alxndrsn commented Jun 4, 2026

What has been done to verify that this works as intended?

Why is this the best possible solution? Were any other approaches considered?

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Does this change require updates to documentation? If so, please file an issue here and include the link below.

Before submitting this PR, please make sure you have:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants