fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152
@@ -687,6 +687,9 @@ func TestValidateDocmapPath_InRepoSymlinkAllowed(t *testing.T) {
|
||||
t.Fatalf("expected in-repo symlink to be accepted, got error: %v", err)
|
||||
}
|
||||
// The returned resolved path must be the real file (not the symlink entry).
|
||||
// validateDocmapPath calls filepath.EvalSymlinks internally, so the returned
|
||||
// path is always the fully-resolved real path — it can never equal the
|
||||
// symlink entry itself.
|
||||
if resolved == symlinkPath {
|
||||
|
|
||||
t.Errorf("expected resolved path to differ from symlink path")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user
[NIT] The new
TestValidateDocmapPath_InRepoSymlinkAllowedtest checksif resolved == symlinkPathto verify that the returned path differs from the symlink. On some systems (e.g., macOS where/tmpis a symlink to/private/tmp),t.TempDir()already returns an EvalSymlinks-resolved path, butsymlinkPathis constructed viafilepath.Join(dir, ...)which may not yet be resolved. The comparison is reliable here becausevalidateDocmapPathcallsEvalSymlinksinternally, soresolvedwill always differ fromsymlinkPath(a symlink entry). The assertion is correct but a comment clarifying why they must differ would help future readers.