From 0cb4f8e3e9cac932cec0d57431902e9b948f0f6e Mon Sep 17 00:00:00 2001
From: Jens Schulze <jens.schulze@commercetools.com>
Date: Tue, 6 Aug 2024 12:19:39 +0200
Subject: [PATCH] add test for pathTraversal

---
 .../commercetools/cart/CartQueryTests.java    | 12 +++++++++++
 .../commercetools/EncodePathParamTest.java    | 21 +++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 commercetools/commercetools-sdk-java-api/src/test/java/com/commercetools/EncodePathParamTest.java

diff --git a/commercetools/commercetools-sdk-java-api/src/integrationTest/java/commercetools/cart/CartQueryTests.java b/commercetools/commercetools-sdk-java-api/src/integrationTest/java/commercetools/cart/CartQueryTests.java
index 002509251b2..38674c3493b 100644
--- a/commercetools/commercetools-sdk-java-api/src/integrationTest/java/commercetools/cart/CartQueryTests.java
+++ b/commercetools/commercetools-sdk-java-api/src/integrationTest/java/commercetools/cart/CartQueryTests.java
@@ -15,6 +15,8 @@
 import commercetools.discount_code.DiscountCodeFixtures;
 import commercetools.utils.CommercetoolsTestUtils;
 
+import io.vrap.rmf.base.client.error.NotFoundException;
+
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
 
@@ -151,6 +153,16 @@ public void expandDiscountCodeReference() {
         });
     }
 
+    @Test
+    public void pathTraversal() {
+        CartsFixtures.withCart(cart -> {
+            NotFoundException e = org.junit.jupiter.api.Assertions.assertThrows(NotFoundException.class, () -> {
+                CommercetoolsTestUtils.getProjectApiRoot().carts().withId("../categories").get().executeBlocking();
+            });
+            Assertions.assertThat(e.getMessage()).contains("..%2Fcategories");
+        });
+    }
+
     private void withUpdateableCartAndDiscount(final BiFunction<Cart, DiscountCode, Cart> function) {
         DiscountCodeFixtures
                 .withUpdateableDiscountCode(discountCodeDraftBuilder -> discountCodeDraftBuilder.isActive(true)
diff --git a/commercetools/commercetools-sdk-java-api/src/test/java/com/commercetools/EncodePathParamTest.java b/commercetools/commercetools-sdk-java-api/src/test/java/com/commercetools/EncodePathParamTest.java
new file mode 100644
index 00000000000..d85cfe8ad5f
--- /dev/null
+++ b/commercetools/commercetools-sdk-java-api/src/test/java/com/commercetools/EncodePathParamTest.java
@@ -0,0 +1,21 @@
+
+package com.commercetools;
+
+import com.commercetools.api.client.ProjectApiRoot;
+import com.commercetools.api.defaultconfig.ApiRootBuilder;
+
+import io.vrap.rmf.base.client.ApiHttpRequest;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+public class EncodePathParamTest {
+    @Test
+    public void testPathTraversal() {
+        final ProjectApiRoot project = ApiRootBuilder.of().withApiBaseUrl("").build("test");
+
+        final ApiHttpRequest httpRequest = project.carts().withId("../categories").get().createHttpRequest();
+        Assertions.assertThat(httpRequest.getUri().toString()).isEqualTo("test/carts/..%2Fcategories");
+    }
+
+}