IJHack / QtPass / 25745903787
55%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 72
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 28.988% (+0.4%) from 28.571%
25745903787

push

github

web-flow 
test(storemodel): three regression tests for path-traversal rejection in dropMimeData (#1466)

#1464 added a canonical-path check in StoreModel::executeDropAction that
refuses any drop whose source or destination resolves outside the
password store. The patch shipped with unit tests on the Util::isPathInStore
helper, but the integration of that helper into the drop flow was only
manually verified. These three tests close that gap by crafting mime
data with out-of-store source paths and asserting dropMimeData() returns
false without ever reaching Pass::Move/Copy.

- dropMimeDataRejectsSourceOutsideStore: mime carries /etc/passwd as
  the source. canDropMimeData() lets it through (it's a UI policy
  layer, not a fs check); executeDropAction's Util::isPathInStore call
  must reject.

- dropMimeDataRejectsAbsoluteOutsideSource: source is a real
  filesystem path inside a sibling QTemporaryDir, so the check runs
  through canonical resolution on an existing path rather than a
  non-existent one.

- dropMimeDataRejectsSymlinkEscape: creates a symlink physically
  inside the store that resolves to a sibling QTemporaryDir, then
  drops it onto a store-internal folder. canonicalFilePath() must
  follow the link and reject. Unix-only — symlink creation on
  Windows needs developer-mode / elevation.

Validated by temporarily defanging the guard (replacing the if
condition with `false && (...)`) — all three tests fail without the
check, confirming they actually exercise the security boundary. With
the guard in place, the qWarning output names each rejection.

Build clean. 33/33 storemodel tests pass (was 30, +3 new).

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

1948 of 6720 relevant lines covered (28.99%)

27.12 hits per line

Jobs
ID Job ID Ran Files Coverage
1 25745903787.1 72
28.99
 GitHub Action Run
Source Files on build 25745903787