Merge branch 'mergeback/2.5.3' into 'develop'

Mergeback: 2.5.3

Closes #3135

See merge request pleroma/pleroma!3927

2 files changed, 11 insertions, 0 deletions

diff --git a/test/pleroma/config/release_runtime_provider_test.exs b/test/pleroma/config/release_runtime_provider_test.exs
index e6d10b13e..8d2a93d6c 100644
--- a/test/pleroma/config/release_runtime_provider_test.exs
+++ b/test/pleroma/config/release_runtime_provider_test.exs
@@ -17,6 +17,8 @@ defmodule Pleroma.Config.ReleaseRuntimeProviderTest do
     end
 
     test "merged runtime config" do
+      assert :ok == File.chmod!("test/fixtures/config/temp.secret.exs", 0o640)
+
       merged =
         ReleaseRuntimeProvider.load([], config_path: "test/fixtures/config/temp.secret.exs")
 
@@ -25,6 +27,8 @@ defmodule Pleroma.Config.ReleaseRuntimeProviderTest do
     end
 
     test "merged exported config" do
+      assert :ok == File.chmod!("test/fixtures/config/temp.exported_from_db.secret.exs", 0o640)
+
       ExUnit.CaptureIO.capture_io(fn ->
         merged =
           ReleaseRuntimeProvider.load([],
@@ -37,6 +41,9 @@ defmodule Pleroma.Config.ReleaseRuntimeProviderTest do
     end
 
     test "runtime config is merged with exported config" do
+      assert :ok == File.chmod!("test/fixtures/config/temp.secret.exs", 0o640)
+      assert :ok == File.chmod!("test/fixtures/config/temp.exported_from_db.secret.exs", 0o640)
+
       merged =
         ReleaseRuntimeProvider.load([],
           config_path: "test/fixtures/config/temp.secret.exs",
diff --git a/test/pleroma/emoji/pack_test.exs b/test/pleroma/emoji/pack_test.exs
index 18b99da75..00001abfc 100644
--- a/test/pleroma/emoji/pack_test.exs
+++ b/test/pleroma/emoji/pack_test.exs
@@ -90,4 +90,8 @@ defmodule Pleroma.Emoji.PackTest do
 
     assert updated_pack.files_count == 1
   end
+
+  test "load_pack/1 ignores path traversal in a forged pack name", %{pack: pack} do
+    assert {:ok, ^pack} = Pack.load_pack("../../../../../dump_pack")
+  end
 end