max / makenotwork
1 file changed,
+4 insertions,
-10 deletions
| @@ -335,30 +335,24 @@ mod tests { | |||
| 335 | 335 | ||
| 336 | 336 | #[test] | |
| 337 | 337 | fn zip_within_nesting_limit_passes() { | |
| 338 | - | // 3 nested archives is at the limit (SCAN_ZIP_MAX_DEPTH = 3) | |
| 338 | + | // SCAN_ZIP_MAX_DEPTH = 2; the check is `nested > limit`, so 2 entries | |
| 339 | + | // with archive extensions sit exactly at the limit and must pass. | |
| 339 | 340 | let data = make_zip(&[ | |
| 340 | 341 | ("data.txt", b"content"), | |
| 341 | 342 | ("inner1.zip", b"fake zip content"), | |
| 342 | 343 | ("inner2.zip", b"fake zip content"), | |
| 343 | - | ("inner3.zip", b"fake zip content"), | |
| 344 | 344 | ]); | |
| 345 | 345 | let result = check_archive_safety(&data, FileType::Download); | |
| 346 | - | // TODO: this test fails at HEAD — `check_archive_safety` returns `Fail` | |
| 347 | - | // because the inner "fake zip content" payloads aren't valid zips and | |
| 348 | - | // the scanner flags them as suspicious. Either the test fixtures need | |
| 349 | - | // real nested zips, or the scanner's expectations have shifted. Skipping | |
| 350 | - | // for now so the mutation-test baseline can proceed. | |
| 351 | - | let _ = result; | |
| 346 | + | assert_eq!(result.verdict, LayerVerdict::Pass); | |
| 352 | 347 | } | |
| 353 | 348 | ||
| 354 | 349 | #[test] | |
| 355 | 350 | fn zip_exceeding_nesting_limit_fails() { | |
| 356 | - | // 4 nested archives exceeds SCAN_ZIP_MAX_DEPTH = 3 | |
| 351 | + | // SCAN_ZIP_MAX_DEPTH = 2; 3 nested archives trips the limit. | |
| 357 | 352 | let data = make_zip(&[ | |
| 358 | 353 | ("inner1.zip", b"fake"), | |
| 359 | 354 | ("inner2.zip", b"fake"), | |
| 360 | 355 | ("inner3.zip", b"fake"), | |
| 361 | - | ("inner4.zip", b"fake"), | |
| 362 | 356 | ]); | |
| 363 | 357 | let result = check_archive_safety(&data, FileType::Download); | |
| 364 | 358 | assert_eq!(result.verdict, LayerVerdict::Fail); |