add test for Content-Disposition filename escaping process

2025-10-16 05:16:35 +08:00 · 2023-04-01 12:36:57 +09:00 · 2023-04-01 12:36:57 +09:00 · 96c3c556fc
commit 96c3c556fc
parent ded02a8857
1 changed files with 14 additions and 0 deletions
--- a/context_test.go
+++ b/context_test.go
@ -1032,6 +1032,20 @@ func TestContextRenderAttachment(t *testing.T) {
 	assert.Equal(t, fmt.Sprintf("attachment; filename=\"%s\"", newFilename), w.Header().Get("Content-Disposition"))
 }

+func TestContextRenderAndEscapeAttachment(t *testing.T) {
+	w := httptest.NewRecorder()
+	c, _ := CreateTestContext(w)
+	maliciousFilename := "tampering_field.sh\";dummy=.go"
+	actualEscapedResponseFilename := "tampering_field.sh\\\";dummy=.go"
+
+	c.Request, _ = http.NewRequest("GET", "/", nil)
+	c.FileAttachment("./gin.go", maliciousFilename)
+
+	assert.Equal(t, 200, w.Code)
+	assert.Contains(t, w.Body.String(), "func New() *Engine {")
+	assert.Equal(t, fmt.Sprintf("attachment; filename=\"%s\"", actualEscapedResponseFilename), w.Header().Get("Content-Disposition"))
+}
+
 func TestContextRenderUTF8Attachment(t *testing.T) {
 	w := httptest.NewRecorder()
 	c, _ := CreateTestContext(w)