add extra $path validation to TenantAssetsController

2025-12-12 12:54:05 +00:00 · 2023-08-24 18:21:23 +02:00 · 2023-08-24 18:21:23 +02:00 · 4af70d302f
commit 4af70d302f
parent 395192442d
3 changed files with 31 additions and 1 deletions
--- a/tests/TenantAssetTest.php
+++ b/tests/TenantAssetTest.php
@ -141,4 +141,17 @@ class TenantAssetTest extends TestCase
        $response->assertNotFound();
    }

+    public function test_asset_controller_returns_a_403_when_an_invalid_path_is_provided()
+    {
+        TenantAssetsController::$tenancyMiddleware = InitializeTenancyByRequestData::class;
+
+        $tenant = Tenant::create();
+
+        tenancy()->initialize($tenant);
+        $response = $this->get(tenant_asset('../foo.txt'), [
+            'X-Tenant' => $tenant->id,
+        ]);
+
+        $response->assertForbidden();
+    }
 }