From 96c3c556fc200ffe2dd4d9ab5a480d2a455c2560 Mon Sep 17 00:00:00 2001
From: motoyasu-saburi <kumagoro_alice@yahoo.co.jp>
Date: Sat, 1 Apr 2023 12:36:57 +0900
Subject: [PATCH] add test for Content-Disposition filename escaping process

---
 context_test.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/context_test.go b/context_test.go
index 1dec902c..54e6dacb 100644
--- a/context_test.go
+++ b/context_test.go
@@ -1032,6 +1032,20 @@ func TestContextRenderAttachment(t *testing.T) {
 	assert.Equal(t, fmt.Sprintf("attachment; filename=\"%s\"", newFilename), w.Header().Get("Content-Disposition"))
 }
 
+func TestContextRenderAndEscapeAttachment(t *testing.T) {
+	w := httptest.NewRecorder()
+	c, _ := CreateTestContext(w)
+	maliciousFilename := "tampering_field.sh\";dummy=.go"
+	actualEscapedResponseFilename := "tampering_field.sh\\\";dummy=.go"
+
+	c.Request, _ = http.NewRequest("GET", "/", nil)
+	c.FileAttachment("./gin.go", maliciousFilename)
+
+	assert.Equal(t, 200, w.Code)
+	assert.Contains(t, w.Body.String(), "func New() *Engine {")
+	assert.Equal(t, fmt.Sprintf("attachment; filename=\"%s\"", actualEscapedResponseFilename), w.Header().Get("Content-Disposition"))
+}
+
 func TestContextRenderUTF8Attachment(t *testing.T) {
 	w := httptest.NewRecorder()
 	c, _ := CreateTestContext(w)